- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 8 Apr 2015 15:31:00 +1000
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Odin Hørthe Omdal <odinho@opera.com>, WebAppSec WG <public-webappsec@w3.org>
> On 8 Apr 2015, at 3:09 pm, Anne van Kesteren <annevk@annevk.nl> wrote: > > On Wed, Apr 8, 2015 at 7:02 AM, Mark Nottingham <mnot@mnot.net> wrote: >> Yeah — but just as far as ACEH is concerned. > > Might also be interesting to check that if you include a new ACAO > header it then does fail. Or the even sillier edge case of doing a > credentialed fetch and having the 304 add ACAC (requires the original > response to use an origin, not *). <http://www.w3.org/TR/cors/#access-control-allow-origin-response-header>: """ The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. """ What does that *mean*? -- Mark Nottingham https://www.mnot.net/
Received on Wednesday, 8 April 2015 05:31:28 UTC