W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [CORS] Multiple origin values?

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 24 Sep 2010 16:53:00 +0200
To: public-webapps <public-webapps@w3.org>, "Vladimir Dzhuvinov" <vladimir@dzhuvinov.com>
Message-ID: <op.vjjkylbu64w2qv@anne-van-kesterens-macbook-pro.local>
On Fri, 24 Sep 2010 16:31:52 +0200, Vladimir Dzhuvinov  
<vladimir@dzhuvinov.com> wrote:
> Another question regarding the CORS spec:
> 1. Why would a browser report multiple Origins to the web server?


> 2. http://www.w3.org/TR/access-control/#resource-requests  Why does
> the spec prescribe "match any" instead of "match all" when multiple
> origin values are received? Shouldn't the server app determine whether
> AND or OR matching is more appropriate?

The server can pretty much do whatever it wants, but if it does not do  
what is described here there would be a security vulnerability.

Anne van Kesteren
Received on Friday, 24 September 2010 14:54:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:11 UTC