[COUCHDB-2444] Mirror CORS domains - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Won't Fix
Affects Version/s: None
Fix Version/s: None
Component/s: HTTP Interface
Labels:
- cors
- security

Description

Most APIs that support CORS specify acceptable domains not with a wildcard but by mirroring the caller's origin. I believe that this is mainly a XSS mitigation technique.

This is an important feature because the CORS specification blocks cookie-based authentication when using wildcard domains. This is the only viable method for enabling clients of CouchDB backed APIs to use cookie based authentication.

PouchDB cross-pollination.

EDIT: clarified situation, relation to spec and security.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Zachary Lym

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 06/Nov/14 23:14

Updated:: 02/Sep/18 07:01

Resolved:: 02/Sep/18 07:01