W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2014

[access-control]

From: Akash Jain <akash.delhite@gmail.com>
Date: Fri, 7 Mar 2014 23:46:49 -0800
Message-ID: <CANz9GVzpcFga30YbUAgPjPmm5nAs=JU=AtMbur346v8GS=+VTg@mail.gmail.com>
To: public-webapps@w3.org
Should Access-Control-Allow-Origin need to be domain specific ?

Infosec has recommended us to use this header :

Access-Control-Allow-Origin:http://domainA.mycompany.com,http//*.
mycompany.com

But I also own domain : http://domainB.mycompany.com

So, if i just use

Access-Control-Allow-Origin:http://*.mycompany.com

Will this be enough ? or it needs to be domain specific ?
Received on Monday, 10 March 2014 10:24:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:22 UTC