On Fri, 24 Sep 2010 16:31:52 +0200, Vladimir Dzhuvinov
<[email protected]> wrote:
Another question regarding the CORS spec:
1. Why would a browser report multiple Origins to the web server?
Redirects.
2. http://www.w3.org/TR/access-control/#resource-requests Why does
the spec prescribe "match any" instead of "match all" when multiple
origin values are received? Shouldn't the server app determine whether
AND or OR matching is more appropriate?
The server can pretty much do whatever it wants, but if it does not do
what is described here there would be a security vulnerability.
--
Anne van Kesteren
http://annevankesteren.nl/
