Thanks a lot, Simon (and Anne!) - I've filed it under
https://github.com/mhausenblas/enable-cors.org/issues/18 and will be fixed ASAP.
Cheers,
Michael
--
Dr. Michael Hausenblas, Research Fellow
DERI - Digital Enterprise Research Institute
NUIG - National University of Ireland, Galway
Ireland, Europe
Tel.: +353 91 495730
http://mhausenblas.info/
On 9 Nov 2012, at 14:11, Simon Pieters wrote:
> Hi
>
> http://enable-cors.org/ says
>
> [[
> Access-Control-Allow-Origin: *
> Access-Control-Allow-Origin: http://example.com:8080 http://foo.example.com
>
> The asterisk permits scripts hosted on any site to load your resources; the
> space-delimited lists limits access to scripts hosted on the listed servers.
> ]]
>
> http://fetch.spec.whatwg.org/#resource-sharing-check says
>
> [[
> If the value of Access-Control-Allow-Origin is not a case-sensitive match for
> the value of the Origin header as defined by its specification, return fail
> and terminate this algorithm.
> ]]
>
> i.e. space separated values will fail.
>
> Please update enable-cors.org to say only one origin can be specified.
>
> Also, an origin has to be specified (rather than using "*") if one wants to
> use cookies, which does not appear to be discussed.
>
> cheers
> --
> Simon Pieters
> Opera Software
