Hi
http://enable-cors.org/ says
[[
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: http://example.com:8080 http://foo.example.com
The asterisk permits scripts hosted on any site to load your resources;
the space-delimited lists limits access to scripts hosted on the listed
servers.
]]
http://fetch.spec.whatwg.org/#resource-sharing-check says
[[
If the value of Access-Control-Allow-Origin is not a case-sensitive match
for the value of the Origin header as defined by its specification, return
fail and terminate this algorithm.
]]
i.e. space separated values will fail.
Please update enable-cors.org to say only one origin can be specified.
Also, an origin has to be specified (rather than using "*") if one wants
to use cookies, which does not appear to be discussed.
cheers
--
Simon Pieters
Opera Software
