Hi, I am now a days working on analyzing the deployment of CORS in wild. By having a crawl I have found some interesting cases. About the following cases can we say that the sites are using CORS in wrong manner: The cases are:
1) Access-Control-Allow-Origin: *. In the above case I am getting in response *. (dot after *). Is it fine or typo? 2) For another website I am getting in response Access-Control: allow <*> 3) For Another website Access-Control-Allow-Oritin: * Oritin instead of Origin.. 4) Finally in another case Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,POST Access-Control-Request-Headers: X-Requested-With, * If site operator is using * as a value in Access-Control-Request-Headers: then the use of "X-Requested-With" makes sense or only * will be fine? Cheers, ashar
