[Bug 19920] New: Don't allow space-separated origins in the syntax


          Priority: P2
            Bug ID: 19920
                CC: mike@w3.org, public-webappsec@w3.org
          Assignee: annevk@annevk.nl
           Summary: Don't allow space-separated origins in the syntax
        QA Contact: dave.null@w3.org
          Severity: normal
    Classification: Unclassified
                OS: All
          Reporter: simonp@opera.com
          Hardware: PC
            Status: NEW
           Version: unspecified
         Component: CORS
           Product: WebAppsSec

http://fetch.spec.whatwg.org/#access-control-allow-origin-response-header says

Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":"
origin-list-or-null | "*"

Since http://fetch.spec.whatwg.org/#resource-sharing-check fails when more than
one origin are specified, I think the syntax should be changed to only allow
one origin. Apparently the Origin header should get the same treatment.

You are receiving this mail because:
You are on the CC list for the bug.

Received on Friday, 9 November 2012 14:32:16 UTC