From 8f51065e3ad5a45529e90c2668fbfd0a237c2d5f Mon Sep 17 00:00:00 2001 From: Florian Scholz Date: Thu, 14 Nov 2024 15:10:43 +0100 Subject: [PATCH 1/3] Add CORS --- features/cors.yml | 18 ++++++++++++ features/cors.yml.dist | 67 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 features/cors.yml create mode 100644 features/cors.yml.dist diff --git a/features/cors.yml b/features/cors.yml new file mode 100644 index 00000000000..254e6c124bf --- /dev/null +++ b/features/cors.yml @@ -0,0 +1,18 @@ +name: CORS +description: Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. +spec: https://fetch.spec.whatwg.org/#http-cors-protocol +status: + compute_from: http.headers.Access-Control-Allow-Origin +compat_features: + - http.headers.Access-Control-Allow-Credentials + - http.headers.Access-Control-Allow-Headers + - http.headers.Access-Control-Allow-Headers.authorization_not_covered_by_wildcard + - http.headers.Access-Control-Allow-Headers.wildcard + - http.headers.Access-Control-Allow-Methods + - http.headers.Access-Control-Allow-Methods.wildcard + - http.headers.Access-Control-Allow-Origin + - http.headers.Access-Control-Expose-Headers + - http.headers.Access-Control-Expose-Headers.wildcard + - http.headers.Access-Control-Max-Age + - http.headers.Access-Control-Request-Headers + - http.headers.Access-Control-Request-Method diff --git a/features/cors.yml.dist b/features/cors.yml.dist new file mode 100644 index 00000000000..5ab6c5ccd53 --- /dev/null +++ b/features/cors.yml.dist @@ -0,0 +1,67 @@ +# Generated from: cors.yml +# Do not edit this file by hand. Edit the source file instead! + +status: + baseline: high + baseline_low_date: 2015-07-29 + baseline_high_date: 2018-01-29 + support: + chrome: "4" + chrome_android: "18" + edge: "12" + firefox: "3.5" + firefox_android: "4" + safari: "4" + safari_ios: "3.2" +compat_features: + # ⬇️ Same status as overall feature ⬇️ + # baseline: high + # baseline_low_date: 2015-07-29 + # baseline_high_date: 2018-01-29 + # support: + # chrome: "4" + # chrome_android: "18" + # edge: "12" + # firefox: "3.5" + # firefox_android: "4" + # safari: "4" + # safari_ios: "3.2" + - http.headers.Access-Control-Allow-Credentials + - http.headers.Access-Control-Allow-Headers + - http.headers.Access-Control-Allow-Methods + - http.headers.Access-Control-Allow-Origin + - http.headers.Access-Control-Expose-Headers + - http.headers.Access-Control-Max-Age + - http.headers.Access-Control-Request-Headers + - http.headers.Access-Control-Request-Method + + # baseline: high + # baseline_low_date: 2020-07-28 + # baseline_high_date: 2023-01-28 + # support: + # chrome: "63" + # chrome_android: "63" + # edge: "79" + # firefox: "69" + # firefox_android: "79" + # safari: "13" + # safari_ios: "13" + - http.headers.Access-Control-Allow-Headers.wildcard + - http.headers.Access-Control-Allow-Methods.wildcard + + # baseline: high + # baseline_low_date: 2020-07-28 + # baseline_high_date: 2023-01-28 + # support: + # chrome: "65" + # chrome_android: "65" + # edge: "79" + # firefox: "69" + # firefox_android: "79" + # safari: "13" + # safari_ios: "13" + - http.headers.Access-Control-Expose-Headers.wildcard + + # baseline: false + # support: {} + - http.headers.Access-Control-Allow-Headers.authorization_not_covered_by_wildcard From 06da835d59b8b51357d8f1a54d688ca5df07e89c Mon Sep 17 00:00:00 2001 From: Florian Scholz Date: Tue, 19 Nov 2024 12:10:30 +0100 Subject: [PATCH 2/3] Update features/cors.yml Co-authored-by: Daniel D. Beck --- features/cors.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/features/cors.yml b/features/cors.yml index 254e6c124bf..465f81641f1 100644 --- a/features/cors.yml +++ b/features/cors.yml @@ -1,5 +1,5 @@ name: CORS -description: Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. +description: Cross-Origin Resource Sharing is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. Also known as CORS. spec: https://fetch.spec.whatwg.org/#http-cors-protocol status: compute_from: http.headers.Access-Control-Allow-Origin From 2c5ea2ea9ddfd2e82271001013407adbcb95d25e Mon Sep 17 00:00:00 2001 From: Florian Scholz Date: Tue, 19 Nov 2024 12:11:33 +0100 Subject: [PATCH 3/3] Add security group --- features/cors.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/features/cors.yml b/features/cors.yml index 465f81641f1..df2b29054d1 100644 --- a/features/cors.yml +++ b/features/cors.yml @@ -1,6 +1,7 @@ name: CORS description: Cross-Origin Resource Sharing is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. Also known as CORS. spec: https://fetch.spec.whatwg.org/#http-cors-protocol +group: security status: compute_from: http.headers.Access-Control-Allow-Origin compat_features: