Maybe I’m missing something, but shouldn’t it be easy to use certain groups of
origins in ‘Access-Control-Allow-Origin’, e.g. make either the scheme, the host
or the port part irrelevant or only match certain subparts of the host part?
Consider Wikipedia/Wikimedia as an example. If all 200-odd
Tab Atkins Jr.:
On Sun, Jul 25, 2010 at 5:25 AM, Christoph Päper
Access-Control-Allow-Origin: http://*.wikipedia.org
This one might work, but:
Access-Control-Allow-Origin: http://example.*, http://example.co.*
This one won't, because it'll match example.co.evilsite.com.
I included