-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS issues #1944
Milestone
Comments
Restrict via config options. Inactivate by default on 2.3 |
brew
added a commit
to brew/ckan
that referenced
this issue
Oct 27, 2014
New config settings: ckan.cors.origin_allow_all = <true|false> ckan.cors.origin_whitelist = <space separated list of allowable domain origins> Access-Control-Allow headers will only be set in the response if the request contains an Origin header, the origin_allow_all setting is present, and either: a) the origin_allow_all setting is true, or b) the request origin is listed in the origin_whitelist setting
brew
added a commit
to brew/ckan
that referenced
this issue
Oct 28, 2014
brew
added a commit
to brew/ckan
that referenced
this issue
Oct 28, 2014
brew
added a commit
to brew/ckan
that referenced
this issue
Oct 28, 2014
These are commented out by default.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The API application running on the server was implementing an HTML5 cross-origin resource sharing (CORS) policy which allowed access from any domain. Allowing access from all domains means that any domain can perform two-way interaction with the application via requests sent to this server. Unless the response consists only of unprotected public content, this policy is likely to present a security risk.
Suggested fix
It is recommended that the domains which are allowed by the CORS policy in relation to any sensitive content within the application should be reviewed, and that it should be determined whether it is appropriate for the application to trust both the intentions and security posture of those domains.
Related tickets
#1000
(2.3 : can't add labels here)
(origin: pentest)
The text was updated successfully, but these errors were encountered: