On Sun, Jul 25, 2010 at 5:25 AM, Christoph Päper <christoph.pae...@crissov.de> wrote: > Maybe I’m missing something, but shouldn’t it be easy to use certain groups > of origins in ‘Access-Control-Allow-Origin’, e.g. make either the scheme, the > host or the port part irrelevant or only match certain subparts of the host > part? > > Consider Wikipedia/Wikimedia as an example. If all 200-odd Wikipedias > (*.wikiPedia.org) but no other site should be able to access certain > resources from the common repository at commons.wikiMedia.org, wouldn’t > everybody expect > > Access-Control-Allow-Origin: http://*.wikipedia.org > > to just work? Is the Commons server instead expected to parse the Origin > header and dynamically set ACAO accordingly?
This one might work, but: > Likewise transnational corporations might want something like > > Access-Control-Allow-Origin: http://example.*, http://example.co.* > > although they cannot guarantee that they possess the second or third level > domain name under all top level domains. This one won't, because it'll match "example.co.evilsite.com". ~TJ