Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Make CORS safer by not reflecting origin for * #10
Hmm, I'll need to do some more research on this. It is a pattern I have seen in some other packages, which is why I did it initially. Not finding a ton of concrete recommendations though.
I have found this: http://stackoverflow.com/a/19744754/121660 which says it might not be possible yo use
As I write this out, I tend to agree with you. Converting
The other packages all do it wrong I'm sorry to say (and it's a huge security problem where people accidentally turning off security). You're right. "Access-Control-Allow-Origin: *" and Allow-Credentials: true, the browser will ignore the AllowCredentials. * means "credentials not allowed no matter what".
The problem with this package is that when people specify *, the CORS handler ends up reflecting the origin header instead of returning * like the user specified.
Here is some research I did on the topic: https://ejj.io/misconfigured-cors/. I occasionally look for new places to track CORS problems down and found this today.
To be a little more explicit about the problem case I envision.
I envision someone specifying origins "*" and allow_credentials true. Right now, that has the effect of turning off web security because * actually means "reflect whatever the origin header was".
After this change, people who specify "*" and allow_credentials true don't turn off security, and instead safely return the