This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 19920 - Don't allow space-separated origins in the syntax
Summary: Don't allow space-separated origins in the syntax
Status: RESOLVED INVALID
Alias: None
Product: WebAppsSec
Classification: Unclassified
Component: CORS (show other bugs)
Version: unspecified
Hardware: PC Windows 3.1
: P2 normal
Target Milestone: ---
Assignee: Anne
QA Contact: This bug has no owner yet - up for the taking
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-09 14:32 UTC by Simon Pieters
Modified: 2013-10-25 22:03 UTC (History)
5 users (show)

See Also:

Attachments

Description Simon Pieters 2012-11-09 14:32:15 UTC 
http://fetch.spec.whatwg.org/#access-control-allow-origin-response-header says

Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" origin-list-or-null | "*"

Since http://fetch.spec.whatwg.org/#resource-sharing-check fails when more than one origin are specified, I think the syntax should be changed to only allow one origin. Apparently the Origin header should get the same treatment.
Comment 1 Odin Hørthe Omdal 2012-11-09 14:58:34 UTC 
As far as I know that was done to use the same language from the linked [ORIGIN] page.

But it would be nice to rid of it, fsck the linked spec. :D
Comment 2 Brad Hill 2013-10-25 22:02:47 UTC 
This bug refers to "fetch" not CORS.  Closing without spec changes.  Access control check behavior forbids multiple origins implictly.

http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-27-Aug-2013.html
Comment 3 Brad Hill 2013-10-25 22:03:12 UTC 
This bug refers to "fetch" not CORS.  Closing without spec changes.  Access control check behavior forbids multiple origins implictly.

http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-27-Aug-2013.html