couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zachary Lym (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (COUCHDB-2444) Mirror CORS domains
Date Fri, 07 Nov 2014 22:37:34 GMT

     [ https://issues.apache.org/jira/browse/COUCHDB-2444?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Zachary Lym updated COUCHDB-2444:
---------------------------------
    Description: 
Most APIs that support CORS specify acceptable domains *not* with a wildcard but by mirroring
the caller's origin.  I believe that this is mainly a XSS mitigation technique.

This is an important feature because the CORS specification blocks cookie-based authentication
when using wildcard domains.  This is the only viable method for enabling clients of CouchDB
backed APIs to use cookie based authentication.

[PouchDB cross-pollination|https://github.com/pouchdb/pouchdb/issues/896].

EDIT: clarified situation, relation to spec and security.

  was:
Most APIs that support CORS specify acceptable domains not with a wildcard but by mirroring
the caller.  I believe that this is an XSS mitigation technique but it would also allow cookie-based
authentication on domains (which are blocked when a wildcard is used to specify the domains).

If this capability exists, then it should be documented it in interface highlighted in the
CORS documentation.

[PouchDB cross-pollination|https://github.com/pouchdb/pouchdb/issues/896].

         Labels: cors security  (was: )

> Mirror CORS domains
> -------------------
>
>                 Key: COUCHDB-2444
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2444
>             Project: CouchDB
>          Issue Type: Improvement
>      Security Level: public(Regular issues) 
>          Components: HTTP Interface
>            Reporter: Zachary Lym
>              Labels: cors, security
>
> Most APIs that support CORS specify acceptable domains *not* with a wildcard but by mirroring
the caller's origin.  I believe that this is mainly a XSS mitigation technique.
> This is an important feature because the CORS specification blocks cookie-based authentication
when using wildcard domains.  This is the only viable method for enabling clients of CouchDB
backed APIs to use cookie based authentication.
> [PouchDB cross-pollination|https://github.com/pouchdb/pouchdb/issues/896].
> EDIT: clarified situation, relation to spec and security.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message