Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The default CORS configuration poses a security risk. #93

Open
ConardLi opened this issue Dec 18, 2023 · 3 comments
Open

The default CORS configuration poses a security risk. #93

ConardLi opened this issue Dec 18, 2023 · 3 comments
Labels

Comments

@ConardLi
Copy link

I don't understand why the latest commit sets the default Access-Control-Allow-Origin to *. This makes no difference to setting it as the request Origin, as both will break the browser's same-origin policy restrictions. The safest option is to default to empty, letting users specify the origin value themselves.

f31dac9

@ConardLi ConardLi added the bug label Dec 18, 2023
@fengmk2
Copy link
Member

fengmk2 commented Dec 18, 2023

Setting request origin by default is more risky for browsers, so refer to industry practice such as expressjs to set it to * by default.
Since turning on the cors plugin is a user action, the default value is set instead of the null value, because if you want the null value, you can just introduce the cors plugin.

@panva
Copy link

panva commented Dec 27, 2023

Setting request origin by default is more risky for browsers

Could you please elaborate on this statement?

@julienw
Copy link
Contributor

julienw commented Feb 1, 2024

The subtle difference is with the behaviors around credentials (cookies especially). A request with credentials answered with Access-Control-Allow-Origin: "*" will returns an error in browsers, but with the right Origin credentials are accepted....
provided that Access-Control-Allow-Credentials: true is specified, which wasn't and still isn't the case by default.

(In short: I agree with you that the change didn't change anything)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants