On Fri, Jul 1, 2011 at 1:41 AM, Anne van Kesteren <[email protected]> wrote: > On Fri, 01 Jul 2011 09:48:43 +0200, Ashar Javed <[email protected]> > wrote: >> >> If a server is returning (Access-Control-Allow-Origin: *) without setting >> the Origin header in HTTP request then can we say that server is not >> implementing CORS properly? >> >> With the help of http://web-sniffer.net/, I randomly checked sites (home >> pages only) for CORS and nearly 200 sites are returning >> (Access-Control-Allow-Origin: *). > > Doing that seems fine. The specification cannot really forbid that.
This should be allowed for sure. Sending a "*" value for the "Access-Control-Allow-Origin" header is completely safe for servers attached to the public internet. If a site feels that it has content that could be of interest to others, it should feel free to add that header on all its responses, without the complexity of checking if a "Origin" header was present in the request. / Jonas
