W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

[cors] Subdomains

From: Christoph Päper <christoph.paeper@crissov.de>
Date: Sun, 25 Jul 2010 14:25:58 +0200
Message-Id: <EB4E4AC1-F0F9-48A3-84C1-D0DD4FB464B8@crissov.de>
To: public-webapps@w3.org
Maybe I’m missing something, but shouldn’t it be easy to use certain groups of origins in ‘Access-Control-Allow-Origin’, e.g. make either the scheme, the host or the port part irrelevant or only match certain subparts of the host part? 

Consider Wikipedia/Wikimedia as an example. If all 200-odd Wikipedias (*.wikiPedia.org) but no other site should be able to access certain resources from the common repository at commons.wikiMedia.org, wouldn’t everybody expect

  Access-Control-Allow-Origin: http://*.wikipedia.org

to just work? Is the Commons server instead expected to parse the Origin header and dynamically set ACAO accordingly? 

Likewise transnational corporations might want something like

  Access-Control-Allow-Origin: http://example.*, http://example.co.*

although they cannot guarantee that they possess the second or third level domain name under all top level domains.
Received on Sunday, 25 July 2010 12:26:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:10 UTC