Copy link
@julienw

julienw Jan 4, 2024

Contributor

Can you please elaborate on the risks you're mentioning when you write "lowest risk" and "risky"?

Here is my understanding:

  • without CORS, the same-origin policy prevents webpage from doing requests to servers with another origin. (except <script> and friends)
  • with CORS, a server can define which webpages can do requests to this server (and methods, etc)
  • returning requestOrigin or * is basically identical (any webpage can do a request) except for one point: credentials (cookies and other similar things): requests need to be made without credentials https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
  • My understanding is that without credentials, Access-Control-Allow-Credentials wasn't set before, so credentials were already rejected with the previous version, even when returning requestOrigin. Therefore I think that the change doesn't change anything in practice.
  • Therefore I don't see that the current situation is "the lowest risk". The lowest risk would be to make the option origin mandatory, and do not add the header if it's not present.

Note that the advisory doesn't say anything about cookies or credentials, but instead about the fact that the middleware is configured by default to allow all origins. This change doesn't change that!

Please tell me if I missed anything :-)