Copy link
@julienw

julienw Dec 12, 2023

Contributor

I'm puzzled because I don't see how this fixes the security advisory. Indeed '*' means any origin, so this is essentially the same behavior as before. Unless I'm missing something.

I believe the advisory author would prefer that this behavior is explicit, that is as a user of the library I should specify "*" explicitely in the origin parameter.

(I would myself be happy enough with just a stronger emphasis in the doc)