Add a way to test Access-Control-Allow-Origin: *

[doppelganger9]

Using a wildcard ("*") in Access-Control-Allow-Origin Header bears special meaning within the CORS specification.

It would be interesting to be able to play with this option, notably to check the behaviour of different browsers.

For example, adding an "Allow Origin" field in the "Local" Server part, with an option to "mirror" the requesting origin, or to specify a text field where we can put a specific value, including the wildcard "*".

[doppelganger9]

Related server code: https://github.com/monsur/test-cors.org/blob/4f8979cd90178355c0fc6bf27f6f74adf126f61d/server/corsserver.py#L90

[KrasnayaPloshchad]

There are several extensions made to working for this, with this feature it’s possible to validate which of them is valid. https://mybrowseraddon.com/access-control-allow-origin.html https://www.moesif.com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Sharing-for-REST-APIs/ https://addons.mozilla.org/firefox/addon/cors-everywhere/ https://addons.mozilla.org/firefox/addon/corsify/

[doppelganger9]

Thanks for your pointers!

I knew about the article and different browser extensions.

My point opening an issue was to provide a way via test-cors.org to test another CORS option/configuration to see how browser react to it.

So using an extension is not the aim, it is overriding the browser's CORS implementation.

test-cors.org only works with ACAO that reflects the received Origin; I want to be able to provide other server-side values (f.ex.):

• ACAO: origin1 origin2 (to test browser not allowing multiple values like it is specified in the spec)
• ACAO: null
• ACAO: *
• ACAO: {=origin mirroring} ( = current implementation)

I hope this clarifies the feature request.