CORS requests with credentials should forbid `*` · expressjs/cors#333

(4 Kommentare) (0 Reaktionen) (0 zugewiesene Personen)JavaScript (5.897 Stars) (476 Forks)batch import

3.xbughelp wanted

Beschreibung

The standard forbids using * in the Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Allow-Methods, or Access-Control-Allow-Headers response header, if the Access-Control-Allow-Credentials request header is set to true.

https://fetch.spec.whatwg.org/#cors-protocol-and-credentials

https://fetch.spec.whatwg.org/#http-new-header-syntax

Right now, this module allows it. In fact, it does it by default if the credentials option is set to true.

Instead, it could either:

Throw an error
Not set CORS response headers, i.e. rejecting the CORS request
Use the Origin request header, if specified. The Vary: Origin response header would need to be set too then.

Contributor Guide

Tech Stack: javascriptnodejsexpress
Domain: apisecurity
Issue Type: bug
Schwierigkeit: 2
Geschätzte Zeit: 1-3 hours
Aktivitätsstatus: active
Klarheit: clear
Voraussetzungen: Basic CORS knowledgeJavaScript
Einsteigerfreundlichkeit: 80
Research-Richtung: Examine the source code of the cors middleware, particularly the logic that sets Access Control Allow Origin and Access Control Allow Credentials. Look at the options handling for 'credentials'. The specification links in the issue detail the forbidding of wildcard with credentials. Consider implementing one of the suggested approaches: throw an error or reflect the Origin header with Vary. Check existing tests to ensure compliance.