[marcinw]

Wow, 61% of websites that responded with an Access-Control-Allow-Origin header had a value set to "*". This allows for the website to be access in a cross-domain manner (think XSS, global wild cards in crossdomain.xml, etc).

I'm worried to think how site operators will adopt CSP (Content Security Policy) once it starts to gain traction.

[wvl]

This article is extremely poorly written. If you look at the top graph, 0.05% of the 10,000 websites make use of the header. Of those, 61% had a value set to " * ". 0.05% of 10,000 is 5, so 3 websites had that header set to " * ". I guess 3 is just not quite as scary as saying 61%.