Uploaded image for project: 'CouchDB'
  1. CouchDB
  2. COUCHDB-2444

Mirror CORS domains

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: HTTP Interface
    • Labels:

      Description

      Most APIs that support CORS specify acceptable domains not with a wildcard but by mirroring the caller's origin. I believe that this is mainly a XSS mitigation technique.

      This is an important feature because the CORS specification blocks cookie-based authentication when using wildcard domains. This is the only viable method for enabling clients of CouchDB backed APIs to use cookie based authentication.

      PouchDB cross-pollination.

      EDIT: clarified situation, relation to spec and security.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              indolering Zachary Lym
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: