W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

CORS Findings

From: Ashar Javed <justashar@gmail.com>
Date: Mon, 11 Jul 2011 01:09:44 +0200
Message-ID: <CAD5mSqVgHXto7M7G+ECqEdt6FUF2-=kJDszBe9LM6Jj75Do5gw@mail.gmail.com>
To: public-webapps@w3.org

I am now a days working on analyzing the deployment of CORS in wild. By
having a crawl I have found some interesting cases. About the following
cases can we say that the sites are using CORS in wrong manner: The cases

1) Access-Control-Allow-Origin: *.

In the above case I am getting in response *. (dot after *). Is it fine or

2) For another website I am getting in response

Access-Control: allow <*>

3) For Another website

Access-Control-Allow-Oritin: *

Oritin instead of Origin..

4) Finally in another case

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST
Access-Control-Request-Headers: X-Requested-With, *

If site operator is using * as a value in Access-Control-Request-Headers:
then the use of "X-Requested-With" makes sense or only * will be fine?


Received on Monday, 11 July 2011 08:25:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:22 UTC