couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dale Harvey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (COUCHDB-2444) Mirror CORS domains
Date Fri, 07 Nov 2014 09:16:35 GMT

    [ https://issues.apache.org/jira/browse/COUCHDB-2444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14201822#comment-14201822
] 

Dale Harvey commented on COUCHDB-2444:
--------------------------------------

Authentication from wildcard origins does not validate the spec, the spec doesnt specify the
possible functionality of the servers ability to authenticate requests from wherever it chooses,
it just specifies the valid server responses

> Mirror CORS domains
> -------------------
>
>                 Key: COUCHDB-2444
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2444
>             Project: CouchDB
>          Issue Type: Improvement
>      Security Level: public(Regular issues) 
>          Components: HTTP Interface
>            Reporter: Zachary Lym
>
> Most APIs that support CORS specify acceptable domains not with a wildcard but by mirroring
the caller.  I believe that this is an XSS mitigation technique but it would also allow cookie-based
authentication on domains (which are blocked when a wildcard is used to specify the domains).
> If this capability exists, then it should be documented it in interface highlighted in
the CORS documentation.
> [PouchDB cross-pollination|https://github.com/pouchdb/pouchdb/issues/896].



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message