Re: CORS and wildcards.

* Mike West wrote:
>One of the conclusions of
>is worth reading) is that developers often misuse
>the 'Access-Control-Allow-Origin' header. At a glance, about 0.5% of the
>sites that use the header send invalid values, mostly wildcarded like
>Is there value in paving this cowpath?

As I recall it, there was considerable opposition against supporting
such wildcard syntax, and now it's too late to add it to that header.
For all we know such headers are the result of some misconfiguration
where someone tried to name a particular subdomain `*` rather than
intending any wildcard matching semantics for the whole domain and
second-guessing the author's intent would leave users vulnerable.
Björn Höhrmann · ·
Am Badedeich 7 · Telefon: +49(0)160/4415681 ·
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · 

Received on Wednesday, 27 March 2013 19:42:07 UTC