[cors] Subdomains
Maybe I’m missing something, but shouldn’t it be easy to use certain groups of origins in ‘Access-Control-Allow-Origin’, e.g. make either the scheme, the host or the port part irrelevant or only match certain subparts of the host part? Consider Wikipedia/Wikimedia as an example. If all 200-odd Wikipedias (*.wikiPedia.org) but no other site should be able to access certain resources from the common repository at commons.wikiMedia.org, wouldn’t everybody expect Access-Control-Allow-Origin: http://*.wikipedia.org to just work? Is the Commons server instead expected to parse the Origin header and dynamically set ACAO accordingly? Likewise transnational corporations might want something like Access-Control-Allow-Origin: http://example.*, http://example.co.* although they cannot guarantee that they possess the second or third level domain name under all top level domains.
[Bug 10234] New: Unused argument in example function prepareDatabase()
http://www.w3.org/Bugs/Public/show_bug.cgi?id=10234 Summary: Unused argument in example function prepareDatabase() Product: WebAppsWG Version: unspecified Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Web Database (editor: Ian Hickson) AssignedTo: i...@hixie.ch ReportedBy: eu...@debian.org QAContact: member-webapi-...@w3.org CC: m...@w3.org, public-webapps@w3.org Argument 'ready' in example function prepareDatabase() is never used. Because of this next use of prepareDatabase() in the example will not execute useful code. -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug.
Re: [cors] Subdomains
On Sun, Jul 25, 2010 at 5:25 AM, Christoph Päper christoph.pae...@crissov.de wrote: Maybe I’m missing something, but shouldn’t it be easy to use certain groups of origins in ‘Access-Control-Allow-Origin’, e.g. make either the scheme, the host or the port part irrelevant or only match certain subparts of the host part? Consider Wikipedia/Wikimedia as an example. If all 200-odd Wikipedias (*.wikiPedia.org) but no other site should be able to access certain resources from the common repository at commons.wikiMedia.org, wouldn’t everybody expect Access-Control-Allow-Origin: http://*.wikipedia.org to just work? Is the Commons server instead expected to parse the Origin header and dynamically set ACAO accordingly? This one might work, but: Likewise transnational corporations might want something like Access-Control-Allow-Origin: http://example.*, http://example.co.* although they cannot guarantee that they possess the second or third level domain name under all top level domains. This one won't, because it'll match example.co.evilsite.com. ~TJ
Re: [cors] Subdomains
On Sun, Jul 25, 2010 at 8:55 PM, Tab Atkins Jr. jackalm...@gmail.com wrote: On Sun, Jul 25, 2010 at 5:25 AM, Christoph Päper christoph.pae...@crissov.de wrote: Maybe I’m missing something, but shouldn’t it be easy to use certain groups of origins in ‘Access-Control-Allow-Origin’, e.g. make either the scheme, the host or the port part irrelevant or only match certain subparts of the host part? Consider Wikipedia/Wikimedia as an example. If all 200-odd Wikipedias (*.wikiPedia.org) but no other site should be able to access certain resources from the common repository at commons.wikiMedia.org, wouldn’t everybody expect Access-Control-Allow-Origin: http://*.wikipedia.org to just work? Is the Commons server instead expected to parse the Origin header and dynamically set ACAO accordingly? This one might work, but: Likewise transnational corporations might want something like Access-Control-Allow-Origin: http://example.*, http://example.co.* although they cannot guarantee that they possess the second or third level domain name under all top level domains. This one won't, because it'll match example.co.evilsite.com. It's very rare for a transnational to actually own all instances of its name in every TLD. That would make every new TLD an opportunity to attack the transnational... Bad times. Adam
Re: [CORS] What constitutes a network error?
On Wed, 21 Jul 2010 23:54:43 +0200, Jonas Sicking jo...@sicking.cc wrote: On Wed, Jul 21, 2010 at 1:14 PM, Alexey Proskuryakov a...@webkit.org wrote: 20.07.2010, в 14:37, Jonas Sicking написал(а): However I haven't been able to find a clear definition of what counts as a network error. Does this include successful HTTP requests that return 4xx or 5xx status codes? Or just errors in the lower level of the stack, such as aborted TCP connections? FWIW, I've been always assuming the latter. Blocking 4xx and 5xx responses would mean having a rather unexpected difference between same origin and cross origin XMLHttpRequest (the former lets JS code see such responses). I'm fairly certain that when we discussed this at the F2F in Redmond, we talked about 4xxs aways resulting in failed requests. And that this solved some security issues. However I could be misremembering, or we could have changed our minds later. Definitely would like to hear others speak up. I don't remember that to be honest. CORS was always meant as some kind of layer on top, not interfering with normal HTTP response codes. I do agree I should clarify that though. -- Anne van Kesteren http://annevankesteren.nl/
Re: [cors] Subdomains
Tab Atkins Jr.: On Sun, Jul 25, 2010 at 5:25 AM, Christoph Päper Access-Control-Allow-Origin: http://*.wikipedia.org This one might work, but: Access-Control-Allow-Origin: http://example.*, http://example.co.* This one won't, because it'll match example.co.evilsite.com. I included example.co.* to suggest that the asterisk is a placeholder for one level only (also works with IPv4 addresses), but yes, right-side wildcards are probably a worse and less useful idea than left-side ones.
Re: [CORS] What constitutes a network error?
On Sun, Jul 25, 2010 at 2:33 PM, Anne van Kesteren ann...@opera.com wrote: On Wed, 21 Jul 2010 23:54:43 +0200, Jonas Sicking jo...@sicking.cc wrote: On Wed, Jul 21, 2010 at 1:14 PM, Alexey Proskuryakov a...@webkit.org wrote: 20.07.2010, в 14:37, Jonas Sicking написал(а): However I haven't been able to find a clear definition of what counts as a network error. Does this include successful HTTP requests that return 4xx or 5xx status codes? Or just errors in the lower level of the stack, such as aborted TCP connections? FWIW, I've been always assuming the latter. Blocking 4xx and 5xx responses would mean having a rather unexpected difference between same origin and cross origin XMLHttpRequest (the former lets JS code see such responses). I'm fairly certain that when we discussed this at the F2F in Redmond, we talked about 4xxs aways resulting in failed requests. And that this solved some security issues. However I could be misremembering, or we could have changed our minds later. Definitely would like to hear others speak up. I don't remember that to be honest. CORS was always meant as some kind of layer on top, not interfering with normal HTTP response codes. I do agree I should clarify that though. I don't think we would be interfering with HTTP either way. Would be great to hear how you are intending to clarify this. I.e. if a 404 response with CORS headers are exposed to the requesting site. / Jonas
