Bug 19920 - Don't allow space-separated origins in the syntax
Don't allow space-separated origins in the syntax
Status: RESOLVED INVALID
Product: WebAppsSec
Classification: Unclassified
Component: CORS
unspecified
PC Windows 3.1
: P2 normal
: ---
Assigned To: Anne
This bug has no owner yet - up for the taking
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-09 14:32 UTC by Simon Pieters
Modified: 2013-10-25 22:03 UTC (History)
5 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Pieters 2012-11-09 14:32:15 UTC
http://fetch.spec.whatwg.org/#access-control-allow-origin-response-header says

Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" origin-list-or-null | "*"

Since http://fetch.spec.whatwg.org/#resource-sharing-check fails when more than one origin are specified, I think the syntax should be changed to only allow one origin. Apparently the Origin header should get the same treatment.
Comment 1 Odin Hørthe Omdal 2012-11-09 14:58:34 UTC
As far as I know that was done to use the same language from the linked [ORIGIN] page.

But it would be nice to rid of it, fsck the linked spec. :D
Comment 2 Brad Hill 2013-10-25 22:02:47 UTC
This bug refers to "fetch" not CORS.  Closing without spec changes.  Access control check behavior forbids multiple origins implictly.

http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-27-Aug-2013.html
Comment 3 Brad Hill 2013-10-25 22:03:12 UTC
This bug refers to "fetch" not CORS.  Closing without spec changes.  Access control check behavior forbids multiple origins implictly.

http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-27-Aug-2013.html