Re: Accessing the same CORS-Resource from multiple sites

Thanks for the link, Brad.
I read "An anonymous request can be made by setting the withCredentials
flag on an XMLHttpRequest to `false`, which causes the browser to omit
the Origin and Cookie headers in the request". If I could prevent the
browser from sending an Origin header this would cause the server to
return "*" as value of the Access-Control-Allow-Origin-Header. However
both firefox and chromium sent the Origin header even when
withCredentials is set to false.
On Tue, 28 Jun 2016, at 18:55, Brad Hill wrote:
> If you'd like to comment, I've taken a stab at writing a "CORS for
> Developers" doc we might publish as a Working Group note to try to
> clarify some of this:
> On Tue, Jun 28, 2016 at 1:23 AM Reto Gmür
> <> wrote:
>> On Mon, 27 Jun 2016, at 19:04, Daniel Veditz wrote:
>>> On Mon, Jun 27, 2016 at 5:45 AM, Reto Gmür <>
>>> wrote:
>>>> It seems that the browser is caching some inferred
>>>> Access-Control-Allow-Origin-Header and then complaining that
>>>> the new
>>>> host doesn't match. Note that the server actually return "*" as
>>>> value of
>>>> the header.
>>> When I tried it didn't return "*", it reflected the requesting host.
>>> This _does_ cause caching issues, and the CORS spec says that if a
>>> site does NOT return "*" it should include Origin in it's Vary
>>> header to prevent incorrect caching.
>>> 6.4 Implementation Considerations
>>> Resources that wish to enable themselves to be shared with multiple
>>> Origins but do not respond uniformly with "*" must in practice
>>> generate the Access-Control-Allow-Origin header dynamically in
>>> response to every request they wish to allow. As a consequence,
>>> authors of such resources should send a Vary: Origin HTTP header or
>>> provide other appropriate control directives to prevent caching of
>>> such responses, which may be inaccurate if re-used across-origins.
>>> Since I can't imagine the w3 site wants to return different cards
>>> for TBL depending on who is asking it really ought to be using Access-Control-Allow-
>>> Origin: * rather than reflecting the requesting origin. Blindly
>>> reflecting the origin is almost never a good idea -- that usually
>>> means either the origin doesn't matter (use "*" instead) or you may
>>> be over-sharing data.
>> Thanks Daniel! When I tried with cURL I never sent an "Origin"-header
>> and so the server replied with "Access-Control-Allow-Origin: *".
>> I must say, it doesn't make me very confident that soon more sites
>> will be supporting CORS if not even the W3C manages to configure its
>> server right.
>> Cheers,
>> Reto

Received on Thursday, 30 June 2016 11:00:25 UTC