Skip to content
This repository has been archived by the owner on Dec 9, 2022. It is now read-only.

Don't return the origin header when configured to * #116

Merged
merged 1 commit into from Nov 1, 2017
Merged

Don't return the origin header when configured to * #116

merged 1 commit into from Nov 1, 2017

Conversation

ejcx
Copy link
Contributor

@ejcx ejcx commented Nov 1, 2017

There's no reason to allow for a server to reflect all origin headers.
This has caused numerous security problems in the past.

Some helpful blog posts on the topic:

There's no reason to allow for a server to reflect all origin headers.
This has caused numerous security problems in the past.
 - cyu/rack-cors#126
 - https://nodesecurity.io/advisories/148
 - captncraig/cors@cc1cf75

Some helpful blog posts on the topic:
 - https://ejj.io/misconfigured-cors/
 - http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
@elithrar
Copy link
Member

elithrar commented Nov 1, 2017

Thanks for raising this Evan - appreciate it. Agree with the assessment.

@elithrar elithrar merged commit 9066371 into gorilla:master Nov 1, 2017
@elithrar
Copy link
Member

elithrar commented Nov 1, 2017

Tagged v1.3.0 with this https://github.com/gorilla/handlers/releases/tag/v1.3.0

@ejcx
Copy link
Contributor Author

ejcx commented Nov 2, 2017

Woot!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants