[access-control] from Akash Jain on 2014-03-08 (public-webapps@w3.org from January to March 2014)

From: Akash Jain <akash.delhite@gmail.com>
Date: Fri, 7 Mar 2014 23:46:49 -0800
To: public-webapps@w3.org
Message-ID: <CANz9GVzpcFga30YbUAgPjPmm5nAs=JU=AtMbur346v8GS=+VTg@mail.gmail.com>

Should Access-Control-Allow-Origin need to be domain specific ?

Infosec has recommended us to use this header :

Access-Control-Allow-Origin:http://domainA.mycompany.com,http//*.
mycompany.com

But I also own domain : http://domainB.mycompany.com

So, if i just use

Access-Control-Allow-Origin:http://*.mycompany.com

Will this be enough ? or it needs to be domain specific ?

Received on Monday, 10 March 2014 10:24:41 UTC