Re: CORS Security Question

On Fri, 01 Jul 2011 09:48:43 +0200, Ashar Javed  
<ashar.javed@tu-harburg.de> wrote:
> If a server is returning (Access-Control-Allow-Origin: *) without  
> setting the Origin header in HTTP request then can we say that server is  
> not implementing CORS properly?
>
> With the help of http://web-sniffer.net/, I randomly checked sites (home  
> pages only) for CORS and nearly 200 sites are returning  
> (Access-Control-Allow-Origin: *).

Doing that seems fine. The specification cannot really forbid that.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Friday, 1 July 2011 08:41:53 UTC