W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [cors] Subdomains

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Sun, 25 Jul 2010 13:55:23 -0700
Message-ID: <AANLkTikwj5tTwV0uuyOGXMTeXAoXU=6XMRyXLp4TYXQy@mail.gmail.com>
To: Christoph Päper <christoph.paeper@crissov.de>
Cc: public-webapps@w3.org
On Sun, Jul 25, 2010 at 5:25 AM, Christoph Päper
<christoph.paeper@crissov.de> wrote:
> Maybe I’m missing something, but shouldn’t it be easy to use certain groups of origins in ‘Access-Control-Allow-Origin’, e.g. make either the scheme, the host or the port part irrelevant or only match certain subparts of the host part?
> Consider Wikipedia/Wikimedia as an example. If all 200-odd Wikipedias (*.wikiPedia.org) but no other site should be able to access certain resources from the common repository at commons.wikiMedia.org, wouldn’t everybody expect
>  Access-Control-Allow-Origin: http://*.wikipedia.org
> to just work? Is the Commons server instead expected to parse the Origin header and dynamically set ACAO accordingly?

This one might work, but:

> Likewise transnational corporations might want something like
>  Access-Control-Allow-Origin: http://example.*, http://example.co.*
> although they cannot guarantee that they possess the second or third level domain name under all top level domains.

This one won't, because it'll match "example.co.evilsite.com".

Received on Sunday, 25 July 2010 20:56:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:10 UTC