Re: Accessing the same CORS-Resource from multiple sites

On Mon, 27 Jun 2016, at 19:04, Daniel Veditz wrote:
> On Mon, Jun 27, 2016 at 5:45 AM, Reto Gmür
> <me@farewellutopia.com> wrote:
>> It seems that the browser is caching some inferred
>>  Access-Control-Allow-Origin-Header and then complaining that the new
>>  host doesn't match. Note that the server actually return "*" as
>>  value of
>>  the header.
>
> When I tried it didn't return "*", it reflected the requesting host.
> This _does_ cause caching issues, and the CORS spec says that if a
> site does NOT return "*" it should include Origin in it's Vary header
> to prevent incorrect caching.
>
> 6.4 Implementation Considerations
> https://www.w3.org/TR/cors/#resource-implementation
>
> Resources that wish to enable themselves to be shared with multiple
> Origins but do not respond uniformly with "*" must in practice
> generate the Access-Control-Allow-Origin header dynamically in
> response to every request they wish to allow. As a consequence,
> authors of such resources should send a Vary: Origin HTTP header or
> provide other appropriate control directives to prevent caching of
> such responses, which may be inaccurate if re-used across-origins.
> Since I can't imagine the w3 site wants to return different cards for
> TBL depending on who is asking it really ought to be using Access-Control-Allow-
> Origin: * rather than reflecting the requesting origin. Blindly
> reflecting the origin is almost never a good idea -- that usually
> means either the origin doesn't matter (use "*" instead) or you may be
> over-sharing data.
 
Thanks Daniel! When I tried with cURL I never sent an "Origin"-header
and so the server replied with "Access-Control-Allow-Origin: *".
 
I must say, it doesn't make me very confident that soon more sites
will be supporting CORS if not even the W3C manages to configure its
server right.
 
Cheers,
Reto