- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Wed, 27 Mar 2013 20:41:36 +0100
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
* Mike West wrote: >One of the conclusions of >http://www.veracode.com/blog/2013/03/security-headers-on-the-top-1000000-websites-march-2013-report/(which >is worth reading) is that developers often misuse >the 'Access-Control-Allow-Origin' header. At a glance, about 0.5% of the >sites that use the header send invalid values, mostly wildcarded like >'http://*.domain.com'. > >Is there value in paving this cowpath? As I recall it, there was considerable opposition against supporting such wildcard syntax, and now it's too late to add it to that header. For all we know such headers are the result of some misconfiguration where someone tried to name a particular subdomain `*` rather than intending any wildcard matching semantics for the whole domain and second-guessing the author's intent would leave users vulnerable. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Wednesday, 27 March 2013 19:42:07 UTC