Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

although browsers only accept a single origin domain or wildcard as cors header, the server can trivially handle the multi domain use case. on preflight request, check the location header in the request, and if it belongs to a defined whitelist, set the cors header on the response to that domain or subdomain. I don't know the why, but I can imagine that since there is a reasonable work around, browser implementers perhaps kept things simple and never bothered adding support for a list of specific domains.


I understand how it works, but adding unnecessary conditional server side logic to fix a limited spec is a poor solution.


Just imagine having everyone’s localhost and whatever other development sites exist bloating the header of GitHub’s API


Just imagine accidentally reflecting every origin as a wildcard because you misconfigured your dynamic acal response headers to reflect whatever the current origin is.


Ok guys, you won, I take it back.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: