W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

Re: Accessing the same CORS-Resource from multiple sites

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 27 Jun 2016 10:04:07 -0700
Message-ID: <CADYDTCD3g0g4T4=FTobOr_W_A03Pq0XdwoWRyh7UTvLap1=rAg@mail.gmail.com>
To: Reto Gmür <me@farewellutopia.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jun 27, 2016 at 5:45 AM, Reto Gmür <me@farewellutopia.com> wrote:

> It seems that the browser is caching some inferred
> Access-Control-Allow-Origin-Header and then complaining that the new
> host doesn't match. Note that the server actually return "*" as value of
> the header.
>

When I tried it didn't return "*", it reflected the requesting host. This
_does_ cause caching issues, and the CORS spec says that if a site does NOT
return "*" it should include Origin in it's Vary header to prevent
incorrect caching.

6.4 Implementation Considerations
https://www.w3.org/TR/cors/#resource-implementation

Resources that wish to enable themselves to be shared with multiple Origins
but do not respond uniformly with "*" must in practice generate the
Access-Control-Allow-Origin header dynamically in response to every request
they wish to allow. As a consequence, authors of such resources should send
a Vary: Origin HTTP header or provide other appropriate control directives
to prevent caching of such responses, which may be inaccurate if re-used
across-origins.

Since I can't imagine the w3 site wants to return different cards for TBL
depending on who is asking it really ought to be using
Access-Control-Allow-Origin: * rather than reflecting the requesting
origin. Blindly reflecting the origin is almost never a good idea -- that
usually means either the origin doesn't matter (use "*" instead) or you may
be over-sharing data.

-Dan Veditz
Received on Monday, 27 June 2016 17:04:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC