CORS requests with credentials should forbid `*` · expressjs/cors#333

(4 commentaires) (0 réactions) (0 assignés)JavaScript (5 897 stars) (476 forks)batch import

3.xbughelp wanted

Description

The standard forbids using * in the Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Allow-Methods, or Access-Control-Allow-Headers response header, if the Access-Control-Allow-Credentials request header is set to true.

https://fetch.spec.whatwg.org/#cors-protocol-and-credentials

https://fetch.spec.whatwg.org/#http-new-header-syntax

Right now, this module allows it. In fact, it does it by default if the credentials option is set to true.

Instead, it could either:

Throw an error
Not set CORS response headers, i.e. rejecting the CORS request
Use the Origin request header, if specified. The Vary: Origin response header would need to be set too then.

Guide contributeur

Stack technique: javascriptnodejsexpress
Domaine: apisecurity
Type d'issue: bug
Difficulté: 2
Temps estimé: 1-3 hours
Statut d'activité: active
Clarté: clear
Prérequis: Basic CORS knowledgeJavaScript
Accessibilité débutant: 80
Direction de recherche: Examine the source code of the cors middleware, particularly the logic that sets Access Control Allow Origin and Access Control Allow Credentials. Look at the options handling for 'credentials'. The specification links in the issue detail the forbidding of wildcard with credentials. Consider implementing one of the suggested approaches: throw an error or reflect the Origin header with Vary. Check existing tests to ensure compliance.