W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

Re: Accessing the same CORS-Resource from multiple sites

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 28 Jun 2016 16:55:23 +0000
Message-ID: <CAEeYn8j6hr7WUou1mZfhxA1W8ZtwO_JxeM52Pdi+R+cMoXX-2Q@mail.gmail.com>
To: Reto Gmür <me@farewellutopia.com>, public-webappsec@w3.org
If you'd like to comment, I've taken a stab at writing a "CORS for
Developers" doc we might publish as a Working Group note to try to clarify
some of this:

https://docs.google.com/document/d/1AtxTDw-g9BSRW9n9kGTTqNkDTGcVfSKPAOjVGkPFu2k/edit#heading=h.gbk9567omrcz

On Tue, Jun 28, 2016 at 1:23 AM Reto Gmür <me@farewellutopia.com> wrote:

> On Mon, 27 Jun 2016, at 19:04, Daniel Veditz wrote:
>
> On Mon, Jun 27, 2016 at 5:45 AM, Reto Gmür <me@farewellutopia.com> wrote:
>
> It seems that the browser is caching some inferred
> Access-Control-Allow-Origin-Header and then complaining that the new
> host doesn't match. Note that the server actually return "*" as value of
> the header.
>
>
> When I tried it didn't return "*", it reflected the requesting host. This
> _does_ cause caching issues, and the CORS spec says that if a site does NOT
> return "*" it should include Origin in it's Vary header to prevent
> incorrect caching.
>
> 6.4 Implementation Considerations
> https://www.w3.org/TR/cors/#resource-implementation
>
> Resources that wish to enable themselves to be shared with multiple
> Origins but do not respond uniformly with "*" must in practice generate the
> Access-Control-Allow-Origin header dynamically in response to every request
> they wish to allow. As a consequence, authors of such resources should send
> a Vary: Origin HTTP header or provide other appropriate control directives
> to prevent caching of such responses, which may be inaccurate if re-used
> across-origins.
> Since I can't imagine the w3 site wants to return different cards for TBL
> depending on who is asking it really ought to be using
> Access-Control-Allow-Origin: * rather than reflecting the requesting
> origin. Blindly reflecting the origin is almost never a good idea -- that
> usually means either the origin doesn't matter (use "*" instead) or you may
> be over-sharing data.
>
>
> Thanks Daniel! When I tried with cURL I never sent an "Origin"-header and
> so the server replied with "Access-Control-Allow-Origin: *".
>
> I must say, it doesn't make me very confident that soon more sites will be
> supporting CORS if not even the W3C manages to configure its server right.
>
> Cheers,
> Reto
>
>
Received on Tuesday, 28 June 2016 16:56:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC