Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AllowOriginSetting adjustments #2053

Open
wants to merge 1 commit into
base: master
from

Conversation

@cak
Copy link

commented Sep 10, 2019

Makes security adjustments to AllowOriginSetting, adding a whitelist origin case and adjusting the custom origin case.

  1. Added a whitelist origin case is to encourage users to provide a list of allowable origins, to project against Arbitrary Reflected Origin attacks, instead of relying on originBased. Ex. allowedOrigin: .whitelist(["https://vapor.codes", "https://docs.vapor.codes"])
  2. Adjusted the custom origin case to return the specified allowed origin and not the value from the origin header. Previously allowedOrigin: .custom("https://vapor.codes") would reflect back an access-control-allow-origin of https://vapor.co

Security Resources:

Checklist

  • Circle CI is passing (code compiles and passes tests).
  • There are no breaking changes to public API.
  • New test cases have been added where appropriate.
  • All new code has been commented with doc blocks ///.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.