W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

Re: Accessing the same CORS-Resource from multiple sites

From: Reto Gmür <me@farewellutopia.com>
Date: Tue, 28 Jun 2016 10:20:49 +0200
Message-Id: <1467102049.205591.650545665.0E24EA85@webmail.messagingengine.com>
To: public-webappsec@w3.org
On Mon, 27 Jun 2016, at 19:04, Daniel Veditz wrote:
> On Mon, Jun 27, 2016 at 5:45 AM, Reto Gmür
> <me@farewellutopia.com> wrote:
>> It seems that the browser is caching some inferred
>>  Access-Control-Allow-Origin-Header and then complaining that the new
>>  host doesn't match. Note that the server actually return "*" as
>>  value of
>>  the header.
>
> When I tried it didn't return "*", it reflected the requesting host.
> This _does_ cause caching issues, and the CORS spec says that if a
> site does NOT return "*" it should include Origin in it's Vary header
> to prevent incorrect caching.
>
> 6.4 Implementation Considerations
> https://www.w3.org/TR/cors/#resource-implementation
>
> Resources that wish to enable themselves to be shared with multiple
> Origins but do not respond uniformly with "*" must in practice
> generate the Access-Control-Allow-Origin header dynamically in
> response to every request they wish to allow. As a consequence,
> authors of such resources should send a Vary: Origin HTTP header or
> provide other appropriate control directives to prevent caching of
> such responses, which may be inaccurate if re-used across-origins.
> Since I can't imagine the w3 site wants to return different cards for
> TBL depending on who is asking it really ought to be using Access-Control-Allow-
> Origin: * rather than reflecting the requesting origin. Blindly
> reflecting the origin is almost never a good idea -- that usually
> means either the origin doesn't matter (use "*" instead) or you may be
> over-sharing data.
 
Thanks Daniel! When I tried with cURL I never sent an "Origin"-header
and so the server replied with "Access-Control-Allow-Origin: *".
 
I must say, it doesn't make me very confident that soon more sites
will be supporting CORS if not even the W3C manages to configure its
server right.
 
Cheers,
Reto
 
Received on Tuesday, 28 June 2016 08:21:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 28 June 2016 08:21:18 UTC