W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2014

Re: [access-control]

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sun, 16 Mar 2014 05:26:19 +0000
Message-ID: <CADnb78hsKG6OWC-rCn5jTb=Av_oYvKOuOq_N5eBTJFeBr+CSfA@mail.gmail.com>
To: Akash Jain <akash.delhite@gmail.com>
Cc: WebApps WG <public-webapps@w3.org>
On Sat, Mar 8, 2014 at 7:46 AM, Akash Jain <akash.delhite@gmail.com> wrote:
> Should Access-Control-Allow-Origin need to be domain specific ?
>
> Infosec has recommended us to use this header :
>
> Access-Control-Allow-Origin:http://domainA.mycompany.com,http//*.mycompany.com

That would never work.


> But I also own domain : http://domainB.mycompany.com
>
> So, if i just use
>
> Access-Control-Allow-Origin:http://*.mycompany.com
>
> Will this be enough ? or it needs to be domain specific ?

No, you cannot use wildcards. See http://fetch.spec.whatwg.org/ for details.


-- 
http://annevankesteren.nl/
Received on Sunday, 16 March 2014 05:26:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:22 UTC