On Sun, Jul 25, 2010 at 8:55 PM, Tab Atkins Jr. <jackalm...@gmail.com> wrote: > On Sun, Jul 25, 2010 at 5:25 AM, Christoph Päper > <christoph.pae...@crissov.de> wrote: >> Maybe I’m missing something, but shouldn’t it be easy to use certain groups >> of origins in ‘Access-Control-Allow-Origin’, e.g. make either the scheme, >> the host or the port part irrelevant or only match certain subparts of the >> host part? >> >> Consider Wikipedia/Wikimedia as an example. If all 200-odd Wikipedias >> (*.wikiPedia.org) but no other site should be able to access certain >> resources from the common repository at commons.wikiMedia.org, wouldn’t >> everybody expect >> >> Access-Control-Allow-Origin: http://*.wikipedia.org >> >> to just work? Is the Commons server instead expected to parse the Origin >> header and dynamically set ACAO accordingly? > > This one might work, but: > >> Likewise transnational corporations might want something like >> >> Access-Control-Allow-Origin: http://example.*, http://example.co.* >> >> although they cannot guarantee that they possess the second or third level >> domain name under all top level domains. > > This one won't, because it'll match "example.co.evilsite.com".
It's very rare for a transnational to actually own all instances of its name in every TLD. That would make every new TLD an opportunity to attack the transnational... Bad times. Adam
