Echoing the value of "Origin" for CORS instead of using "*"?

Question

According to MDN,

when responding to a credentialed request, server must specify a domain, and cannot use wild carding.

So I cannot simply use Access-Control-Allow-Origin: *. However, I'm wondering if there is a reason not to simply use: Access-Control-Allow-Origin: ${request.headers["Origin"]}, i.e., always set Access-Control-Allow-Origin to whatever Origin was set to in the request.

score 0 · Accepted Answer · edited May 23 '17 at 11:57

0

There isn't.

It has been discussed (rather indirectly) in this thread : Access-Control-Allow-Origin Multiple Origin Domains?

In your case, your list of domains are all domains, which means no matter what the request originates from, it is in your 'list of domains'.

edited May 23 '17 at 11:57

Community

1
1

answered Apr 16 '15 at 08:04

fyquah95

758
5
16

Echoing the value of "Origin" for CORS instead of using "*"?

1 Answers1