- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 24 Sep 2010 16:53:00 +0200
- To: public-webapps <public-webapps@w3.org>, "Vladimir Dzhuvinov" <vladimir@dzhuvinov.com>
On Fri, 24 Sep 2010 16:31:52 +0200, Vladimir Dzhuvinov <vladimir@dzhuvinov.com> wrote: > Another question regarding the CORS spec: > > 1. Why would a browser report multiple Origins to the web server? Redirects. > 2. http://www.w3.org/TR/access-control/#resource-requests Why does > the spec prescribe "match any" instead of "match all" when multiple > origin values are received? Shouldn't the server app determine whether > AND or OR matching is more appropriate? The server can pretty much do whatever it wants, but if it does not do what is described here there would be a security vulnerability. -- Anne van Kesteren http://annevankesteren.nl/
Received on Friday, 24 September 2010 14:54:11 UTC