- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 1 Jul 2011 02:21:42 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: "public-webapps@w3.org" <public-webapps@w3.org>, Ashar Javed <ashar.javed@tu-harburg.de>, michael.hausenblas@deri.org
On Fri, Jul 1, 2011 at 1:41 AM, Anne van Kesteren <annevk@opera.com> wrote: > On Fri, 01 Jul 2011 09:48:43 +0200, Ashar Javed <ashar.javed@tu-harburg.de> > wrote: >> >> If a server is returning (Access-Control-Allow-Origin: *) without setting >> the Origin header in HTTP request then can we say that server is not >> implementing CORS properly? >> >> With the help of http://web-sniffer.net/, I randomly checked sites (home >> pages only) for CORS and nearly 200 sites are returning >> (Access-Control-Allow-Origin: *). > > Doing that seems fine. The specification cannot really forbid that. This should be allowed for sure. Sending a "*" value for the "Access-Control-Allow-Origin" header is completely safe for servers attached to the public internet. If a site feels that it has content that could be of interest to others, it should feel free to add that header on all its responses, without the complexity of checking if a "Origin" header was present in the request. / Jonas
Received on Friday, 1 July 2011 09:22:42 UTC