CORS Security Question from Ashar Javed on 2011-07-01 (public-webapps@w3.org from July to September 2011)

From: Ashar Javed <ashar.javed@tu-harburg.de>
Date: Fri, 01 Jul 2011 09:48:43 +0200
To: "public-webapps@w3.org" <public-webapps@w3.org>
Cc: michael.hausenblas@deri.org
Message-ID: <20110701094843.13256dlvj7ekpt8o@webmail.tu-harburg.de>

Hi,

If a server is returning (Access-Control-Allow-Origin: *) without  
setting the Origin header in HTTP request then can we say that server  
is not implementing CORS properly?

With the help of http://web-sniffer.net/, I randomly checked sites  
(home pages only) for CORS and nearly 200 sites are returning  
(Access-Control-Allow-Origin: *).

Cheers,

ashar

Received on Friday, 1 July 2011 08:33:46 UTC