couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zachary Lym (JIRA)" <>
Subject [jira] [Created] (COUCHDB-2444) Mirror CORS domains
Date Thu, 06 Nov 2014 23:14:34 GMT
Zachary Lym created COUCHDB-2444:

             Summary: Mirror CORS domains
                 Key: COUCHDB-2444
             Project: CouchDB
          Issue Type: Improvement
      Security Level: public (Regular issues)
          Components: HTTP Interface
            Reporter: Zachary Lym

Most APIs that support CORS specify acceptable domains not with a wildcard but by mirroring
the caller.  I believe that this is an XSS mitigation technique but it would also allow cookie-based
authentication on domains (which are blocked when a wildcard is used to specify the domains).

If this capability exists, then it should be documented it in interface highlighted in the
CORS documentation.

[PouchDB cross-pollination|].

This message was sent by Atlassian JIRA

View raw message