CORS Findings from Ashar Javed on 2011-07-10 (public-webapps@w3.org from July to September 2011)

From: Ashar Javed <justashar@gmail.com>
Date: Mon, 11 Jul 2011 01:09:44 +0200
To: public-webapps@w3.org
Message-ID: <CAD5mSqVgHXto7M7G+ECqEdt6FUF2-=kJDszBe9LM6Jj75Do5gw@mail.gmail.com>

Hi,

I am now a days working on analyzing the deployment of CORS in wild. By
having a crawl I have found some interesting cases. About the following
cases can we say that the sites are using CORS in wrong manner: The cases
are:

1) Access-Control-Allow-Origin: *.

In the above case I am getting in response *. (dot after *). Is it fine or
typo?

2) For another website I am getting in response

Access-Control: allow <*>

3) For Another website

Access-Control-Allow-Oritin: *

Oritin instead of Origin..

4) Finally in another case

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST
Access-Control-Request-Headers: X-Requested-With, *

If site operator is using * as a value in Access-Control-Request-Headers:
then the use of "X-Requested-With" makes sense or only * will be fine?

Cheers,

ashar

Received on Monday, 11 July 2011 08:25:14 UTC