On Mon, Jun 27, 2016 at 5:45 AM, Reto Gmür <me@farewellutopia.com> wrote: > It seems that the browser is caching some inferred > Access-Control-Allow-Origin-Header and then complaining that the new > host doesn't match. Note that the server actually return "*" as value of > the header. > When I tried it didn't return "*", it reflected the requesting host. This _does_ cause caching issues, and the CORS spec says that if a site does NOT return "*" it should include Origin in it's Vary header to prevent incorrect caching. 6.4 Implementation Considerations https://www.w3.org/TR/cors/#resource-implementation Resources that wish to enable themselves to be shared with multiple Origins but do not respond uniformly with "*" must in practice generate the Access-Control-Allow-Origin header dynamically in response to every request they wish to allow. As a consequence, authors of such resources should send a Vary: Origin HTTP header or provide other appropriate control directives to prevent caching of such responses, which may be inaccurate if re-used across-origins. Since I can't imagine the w3 site wants to return different cards for TBL depending on who is asking it really ought to be using Access-Control-Allow-Origin: * rather than reflecting the requesting origin. Blindly reflecting the origin is almost never a good idea -- that usually means either the origin doesn't matter (use "*" instead) or you may be over-sharing data. -Dan VeditzReceived on Monday, 27 June 2016 17:04:36 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC