Re: [cors] Subdomains
On Sun, 25 Jul 2010 14:25:58 +0200, Christoph Päper christoph.pae...@crissov.de wrote: Maybe I’m missing something, but shouldn’t it be easy to use certain groups of origins in ‘Access-Control-Allow-Origin’, e.g. make either the scheme, the host or the port part irrelevant or only match certain subparts of the host part? We had something like that long ago, but decided the complexity was not worth it. At least not for now. So yes, the Commons server would have to implement the appropriate logic. It does not actually have to parse the header though, as the draft says it could simply contain a list of origins it allows requests from and compare the incoming origin against said list. That would probably be safer than to try parsing things manually. -- Anne van Kesteren http://annevankesteren.nl/
Re: [cors] Subdomains
On Sun, Jul 25, 2010 at 5:25 AM, Christoph Päper christoph.pae...@crissov.de wrote: Maybe I’m missing something, but shouldn’t it be easy to use certain groups of origins in ‘Access-Control-Allow-Origin’, e.g. make either the scheme, the host or the port part irrelevant or only match certain subparts of the host part? Consider Wikipedia/Wikimedia as an example. If all 200-odd Wikipedias (*.wikiPedia.org) but no other site should be able to access certain resources from the common repository at commons.wikiMedia.org, wouldn’t everybody expect Access-Control-Allow-Origin: http://*.wikipedia.org to just work? Is the Commons server instead expected to parse the Origin header and dynamically set ACAO accordingly? This one might work, but: Likewise transnational corporations might want something like Access-Control-Allow-Origin: http://example.*, http://example.co.* although they cannot guarantee that they possess the second or third level domain name under all top level domains. This one won't, because it'll match example.co.evilsite.com. ~TJ
Re: [cors] Subdomains
On Sun, Jul 25, 2010 at 8:55 PM, Tab Atkins Jr. jackalm...@gmail.com wrote: On Sun, Jul 25, 2010 at 5:25 AM, Christoph Päper christoph.pae...@crissov.de wrote: Maybe I’m missing something, but shouldn’t it be easy to use certain groups of origins in ‘Access-Control-Allow-Origin’, e.g. make either the scheme, the host or the port part irrelevant or only match certain subparts of the host part? Consider Wikipedia/Wikimedia as an example. If all 200-odd Wikipedias (*.wikiPedia.org) but no other site should be able to access certain resources from the common repository at commons.wikiMedia.org, wouldn’t everybody expect Access-Control-Allow-Origin: http://*.wikipedia.org to just work? Is the Commons server instead expected to parse the Origin header and dynamically set ACAO accordingly? This one might work, but: Likewise transnational corporations might want something like Access-Control-Allow-Origin: http://example.*, http://example.co.* although they cannot guarantee that they possess the second or third level domain name under all top level domains. This one won't, because it'll match example.co.evilsite.com. It's very rare for a transnational to actually own all instances of its name in every TLD. That would make every new TLD an opportunity to attack the transnational... Bad times. Adam
Re: [cors] Subdomains
Tab Atkins Jr.: On Sun, Jul 25, 2010 at 5:25 AM, Christoph Päper Access-Control-Allow-Origin: http://*.wikipedia.org This one might work, but: Access-Control-Allow-Origin: http://example.*, http://example.co.* This one won't, because it'll match example.co.evilsite.com. I included example.co.* to suggest that the asterisk is a placeholder for one level only (also works with IPv4 addresses), but yes, right-side wildcards are probably a worse and less useful idea than left-side ones.