Re: Accessing the same CORS-Resource from multiple sites

On Mon, Jun 27, 2016 at 5:45 AM, Reto Gmür <> wrote:

> It seems that the browser is caching some inferred
> Access-Control-Allow-Origin-Header and then complaining that the new
> host doesn't match. Note that the server actually return "*" as value of
> the header.

When I tried it didn't return "*", it reflected the requesting host. This
_does_ cause caching issues, and the CORS spec says that if a site does NOT
return "*" it should include Origin in it's Vary header to prevent
incorrect caching.

6.4 Implementation Considerations

Resources that wish to enable themselves to be shared with multiple Origins
but do not respond uniformly with "*" must in practice generate the
Access-Control-Allow-Origin header dynamically in response to every request
they wish to allow. As a consequence, authors of such resources should send
a Vary: Origin HTTP header or provide other appropriate control directives
to prevent caching of such responses, which may be inaccurate if re-used

Since I can't imagine the w3 site wants to return different cards for TBL
depending on who is asking it really ought to be using
Access-Control-Allow-Origin: * rather than reflecting the requesting
origin. Blindly reflecting the origin is almost never a good idea -- that
usually means either the origin doesn't matter (use "*" instead) or you may
be over-sharing data.

-Dan Veditz

Received on Monday, 27 June 2016 17:04:36 UTC