W3C home > Mailing lists > Public > www-archive@w3.org > November 2012

Bug in enable-cors.org

From: Simon Pieters <simonp@opera.com>
Date: Fri, 09 Nov 2012 15:11:16 +0100
To: michael.hausenblas@gmail.com
Cc: "www-archive@w3.org" <www-archive@w3.org>
Message-ID: <op.wnie02g2idj3kv@simons-macbook-pro-2.local>
Hi

http://enable-cors.org/ says

[[
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: http://example.com:8080 http://foo.example.com

The asterisk permits scripts hosted on any site to load your resources;  
the space-delimited lists limits access to scripts hosted on the listed  
servers.
]]

http://fetch.spec.whatwg.org/#resource-sharing-check says

[[
If the value of Access-Control-Allow-Origin is not a case-sensitive match  
for the value of the Origin header as defined by its specification, return  
fail and terminate this algorithm.
]]

i.e. space separated values will fail.

Please update enable-cors.org to say only one origin can be specified.

Also, an origin has to be specified (rather than using "*") if one wants  
to use cookies, which does not appear to be discussed.

cheers
-- 
Simon Pieters
Opera Software
Received on Friday, 9 November 2012 14:11:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 9 November 2012 14:11:44 GMT