W3C home > Mailing lists > Public > www-archive@w3.org > November 2012

Re: Bug in enable-cors.org

From: Michael Hausenblas <michael.hausenblas@deri.org>
Date: Fri, 9 Nov 2012 14:31:57 +0000
Cc: www-archive@w3.org, Monsur Hossain <monsur@gmail.com>, Anne van Kesteren <annevk@annevk.nl>
Message-Id: <4E3D9048-D98A-4D2E-9262-202F5B858532@deri.org>
To: Simon Pieters <simonp@opera.com>

Thanks a lot, Simon (and Anne!) - I've filed it under https://github.com/mhausenblas/enable-cors.org/issues/18 and will be fixed ASAP.

Cheers,
	   Michael

--
Dr. Michael Hausenblas, Research Fellow
DERI - Digital Enterprise Research Institute
NUIG - National University of Ireland, Galway
Ireland, Europe
Tel.: +353 91 495730
http://mhausenblas.info/

On 9 Nov 2012, at 14:11, Simon Pieters wrote:

> Hi
> 
> http://enable-cors.org/ says
> 
> [[
> Access-Control-Allow-Origin: *
> Access-Control-Allow-Origin: http://example.com:8080 http://foo.example.com
> 
> The asterisk permits scripts hosted on any site to load your resources; the space-delimited lists limits access to scripts hosted on the listed servers.
> ]]
> 
> http://fetch.spec.whatwg.org/#resource-sharing-check says
> 
> [[
> If the value of Access-Control-Allow-Origin is not a case-sensitive match for the value of the Origin header as defined by its specification, return fail and terminate this algorithm.
> ]]
> 
> i.e. space separated values will fail.
> 
> Please update enable-cors.org to say only one origin can be specified.
> 
> Also, an origin has to be specified (rather than using "*") if one wants to use cookies, which does not appear to be discussed.
> 
> cheers
> -- 
> Simon Pieters
> Opera Software
Received on Friday, 9 November 2012 14:32:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 9 November 2012 14:32:39 GMT