CORS Findings


I am now a days working on analyzing the deployment of CORS in wild. By
having a crawl I have found some interesting cases. About the following
cases can we say that the sites are using CORS in wrong manner: The cases

1) Access-Control-Allow-Origin: *.

In the above case I am getting in response *. (dot after *). Is it fine or

2) For another website I am getting in response

Access-Control: allow <*>

3) For Another website

Access-Control-Allow-Oritin: *

Oritin instead of Origin..

4) Finally in another case

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST
Access-Control-Request-Headers: X-Requested-With, *

If site operator is using * as a value in Access-Control-Request-Headers:
then the use of "X-Requested-With" makes sense or only * will be fine?



Received on Monday, 11 July 2011 08:25:14 UTC