Must the Access-Control-Allow-Origin header include scheme?

Question

I'm having some problems with CORS definitions, and I have a question (not about CORS in general - that I'm fine with - just about the official specification and usage):

According to the IETF, if the Origin header is passed and if it is a URL, that URL must be fully serialized, and must include scheme and host (and optionally port). From https://www.rfc-editor.org/rfc/rfc6454#section-7.1:

The Origin header field has the following syntax:

origin              = "Origin:" OWS origin-list-or-null OWS
origin-list-or-null = %x6E %x75 %x6C %x6C / origin-list
origin-list         = serialized-origin *( SP serialized-origin )
serialized-origin   = scheme "://" host [ ":" port ]
                   ; <scheme>, <host>, <port> from RFC 3986

At least, I think I have understood that correctly.

The IETF also says that the format of the Access-Control-Allow-Origin header must follow the same format. From http://www.w3.org/TR/cors/#access-control-allow-origin-response-header:

Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" origin-list-or-null | "*"

and links to the Origin header page.

However, I have seen numerous examples (both here on SO and elsewhere) which show ACAO headers without the scheme (i.e. not an exact 'mirror' of the Origin header), e.g. they show this being passed in the request:

Origin: http://www.example.com

and this as the 'correct' response:

Access-Control-Allow-Origin: www.example.com

So is that ACAO header valid? I thought that the ACAO header had to be an exact mirror of the Origin header value (or '*' or 'null').

If I respond with an ACAO header which doesn't include the scheme, should the User Agent accept it? Or is it on a UA-by-UA basis? What if the Origin includes a port number - do I need to include that in the ACAO response header, with or without the scheme?

Answer 1

As you mentionned, RFC 6454 define the syntax of an origin without ambiguity:

origin              = "Origin:" OWS origin-list-or-null OWS
origin-list-or-null = %x6E %x75 %x6C %x6C / origin-list
origin-list         = serialized-origin *( SP serialized-origin )
serialized-origin   = scheme "://" host [ ":" port ]

and CORS W3C recommandation explicity refer to the same definition.

Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" origin-list-or-null | "*"

So the following header is not valid

Access-Control-Allow-Origin: www.example.com

and must not be accepted by User Agent

When generating an Origin header field, the user agent MUST meet the following requirements:

Each of the serialized-origin productions in the grammar MUST be the ascii-serialization of an origin.

This is particularly important because of the same-origin policy:

The same-origin policy is one of the cornerstones of security for many user agents, including web browsers.

Concerning the second part of the question about the port the number, the ASCII serialization of an origin algorithm states:

5. If the port part of the origin triple is different from the default port for the protocol given by the scheme part of the origin triple:

Append a U+003A COLON code point (":") and the given port, in base ten, to result.