- From: Michael Hausenblas <michael.hausenblas@deri.org>
- Date: Fri, 9 Nov 2012 14:31:57 +0000
- To: Simon Pieters <simonp@opera.com>
- Cc: www-archive@w3.org, Monsur Hossain <monsur@gmail.com>, Anne van Kesteren <annevk@annevk.nl>
Thanks a lot, Simon (and Anne!) - I've filed it under https://github.com/mhausenblas/enable-cors.org/issues/18 and will be fixed ASAP. Cheers, Michael -- Dr. Michael Hausenblas, Research Fellow DERI - Digital Enterprise Research Institute NUIG - National University of Ireland, Galway Ireland, Europe Tel.: +353 91 495730 http://mhausenblas.info/ On 9 Nov 2012, at 14:11, Simon Pieters wrote: > Hi > > http://enable-cors.org/ says > > [[ > Access-Control-Allow-Origin: * > Access-Control-Allow-Origin: http://example.com:8080 http://foo.example.com > > The asterisk permits scripts hosted on any site to load your resources; the space-delimited lists limits access to scripts hosted on the listed servers. > ]] > > http://fetch.spec.whatwg.org/#resource-sharing-check says > > [[ > If the value of Access-Control-Allow-Origin is not a case-sensitive match for the value of the Origin header as defined by its specification, return fail and terminate this algorithm. > ]] > > i.e. space separated values will fail. > > Please update enable-cors.org to say only one origin can be specified. > > Also, an origin has to be specified (rather than using "*") if one wants to use cookies, which does not appear to be discussed. > > cheers > -- > Simon Pieters > Opera Software
Received on Friday, 9 November 2012 14:32:39 UTC