include information about CORS security #70

Open
deanjerkovich opened this Issue Dec 5, 2013 · 4 comments

Projects

None yet

3 participants

@deanjerkovich

I can see why everyone loves CORS, but as a work-around to one of the most fundamental security boundaries of the modern web (SOP), I think it would be very prudent to at least discuss some of the potential pitfalls and dangers associated with CORS.

@elf-pavlik

👍 @deanjerkovich would you like to write an initial draft?

@deanjerkovich

@elf-pavlik sure, is a few paragraphs too much?

@elf-pavlik

@deanjerkovich i would say just write i here as you think and everyone interested can help with refining... maybe just keep editing you comment, create gits, create wiki page, or even just link to etherpad... @monsur what do you suggest for work on such content together?
oh... preferably maybe just turn this issue into a pull request 😄
http://opensoul.org/2012/11/09/convert-a-github-issue-into-a-pull-request/ (how i do it)
or https://issue2pr.herokuapp.com/ (which i didn't use myself)

@monsur
Owner
monsur commented Dec 11, 2013

@deanjerkovich, can you provide a rough outline of the things you'd like to
highlight? Since the server is mostly in control of a CORS request, I don't
see CORS itself as being a danger. However server authors do still need to
keep standard precautions in place, such as CSRF protection (especially for
non-preflighted requests). Were there other security dangers you had in
mind? Thanks!

On Tue Dec 10 2013 at 4:31:47 AM, ☮ elf Pavlik ☮ notifications@github.com
wrote:

@deanjerkovich https://github.com/deanjerkovich i would say just write
i here as you think and everyone interested can help with refining... maybe
just keep editing you comment, create gits, create wiki page, or even just
link to etherpad... @monsur https://github.com/monsur what do you
suggest for work on such content together?
oh... preferably maybe just turn issue into a pull request [image:
😄]
http://opensoul.org/2012/11/09/convert-a-github-issue-into-a-pull-request/(how i do it)
or https://issue2pr.herokuapp.com/ (which i didn't use myself)


Reply to this email directly or view it on GitHubhttps://github.com/monsur/enable-cors.org/issues/70#issuecomment-30214591
.

@monsur monsur referenced this issue Oct 29, 2014
Closed

add security tab? #82

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment