Bugzilla – Bug 19920
Don't allow space-separated origins in the syntax
Last modified: 2013-10-25 22:03:12 UTC
Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" origin-list-or-null | "*"
Since http://fetch.spec.whatwg.org/#resource-sharing-check fails when more than one origin are specified, I think the syntax should be changed to only allow one origin. Apparently the Origin header should get the same treatment.
As far as I know that was done to use the same language from the linked [ORIGIN] page.
But it would be nice to rid of it, fsck the linked spec. :D
This bug refers to "fetch" not CORS. Closing without spec changes. Access control check behavior forbids multiple origins implictly.