CORS requests with credentials should forbid `*` · expressjs/cors#333

(4 留言) (0 反應) (0 負責人)JavaScript (5,897 star) (476 fork)batch import

3.xbughelp wanted

描述

The standard forbids using * in the Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Allow-Methods, or Access-Control-Allow-Headers response header, if the Access-Control-Allow-Credentials request header is set to true.

https://fetch.spec.whatwg.org/#cors-protocol-and-credentials

https://fetch.spec.whatwg.org/#http-new-header-syntax

Right now, this module allows it. In fact, it does it by default if the credentials option is set to true.

Instead, it could either:

Throw an error
Not set CORS response headers, i.e. rejecting the CORS request
Use the Origin request header, if specified. The Vary: Origin response header would need to be set too then.

貢獻者指南

技術棧: javascriptnodejsexpress
領域: apisecurity
議題類型: bug
難度: 2
預計時間: 1-3 hours
活動狀態: active
清晰度: clear
前置要求: Basic CORS knowledgeJavaScript
新手友善度: 80
研究方向: Examine the source code of the cors middleware, particularly the logic that sets Access Control Allow Origin and Access Control Allow Credentials. Look at the options handling for 'credentials'. The specification links in the issue detail the forbidding of wildcard with credentials. Consider implementing one of the suggested approaches: throw an error or reflect the Origin header with Vary. Check existing tests to ensure compliance.