I spoke to Jonas and several others at TPAC, and everyone agreed that for web servers that are not behind a firewall, it's safe to *always* Access-Control-Allow-Origin: *.
If this is true, as it seems to be, it would be great if the spec would explicitly call out the reason for requiring the header for cookie-less requests, and say that in non-firewall cases, it's always safe to include the header. Yehuda Katz (ph) 718.877.1325 On Thu, Dec 1, 2011 at 7:53 AM, Tab Atkins Jr. <jackalm...@gmail.com> wrote: > On Mon, Nov 28, 2011 at 4:05 AM, Nicolas Mollet <nico.mol...@gmail.com> > wrote: > > Hello, > > > > I am new here, not sure if it's the good place to talk about my problem. > > > > What I understand, CORS is a new specification, and it was introduced in > the > > latest Firefox 8. > > Many users started to edit their servers properties using > > "Access-Control-Allow-Origin" property. > > > > What about servers we don't have access to, like the file sharing > services > > (Dropbox, Photobucket). > > > > For example, in my project, I hosted many files on Dropbox Public Folder > : > > now it is becoming useless because CORS is not enabled on Dropbox. > > What should be done ? Can Dropbox change his policy according to CORS ? > > > > Does your group can contact file sharing services so they can adapt their > > services to CORS ? > > > > Thank you very much, > > Yes, third-party hosting services need to add CORS headers as well if > they want their stuff to be accessible from XHR, etc. It's the same > process for them as it is for a normal author. > > It's possible that someone from this mailing list could contact those > services. It's more likely to happen, though, if you do it yourself. > ^_^ > > ~TJ > >
