19920 2012-11-09 14:32:15 +0000 Don't allow space-separated origins in the syntax 2013-10-25 22:03:12 +0000 1 1 1 Unclassified WebAppsSec CORS unspecified PC Windows 3.1 RESOLVED INVALID P2 normal --- 1 zcorpan annevk hillbrad lavacochesmadrid mike odinho public-webappsec dave.null oldest_to_newest 78109 0 zcorpan 2012-11-09 14:32:15 +0000 http://fetch.spec.whatwg.org/#access-control-allow-origin-response-header says Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" origin-list-or-null | "*" Since http://fetch.spec.whatwg.org/#resource-sharing-check fails when more than one origin are specified, I think the syntax should be changed to only allow one origin. Apparently the Origin header should get the same treatment. 78115 1 odinho 2012-11-09 14:58:34 +0000 As far as I know that was done to use the same language from the linked [ORIGIN] page. But it would be nice to rid of it, fsck the linked spec. :D 95366 2 hillbrad 2013-10-25 22:02:47 +0000 This bug refers to "fetch" not CORS. Closing without spec changes. Access control check behavior forbids multiple origins implictly. http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-27-Aug-2013.html 95367 3 hillbrad 2013-10-25 22:03:12 +0000 This bug refers to "fetch" not CORS. Closing without spec changes. Access control check behavior forbids multiple origins implictly. http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-27-Aug-2013.html