Fix for CORS vulnerability

oyvindkinsey · oyvindkinsey · commit 4e46f32ebca9 · 2019-04-08T12:13:44.000-05:00
Summary:
Sites including the raw content of the distribution zip will be susceptible to a CORS attack due to the default cors/index.html file containing an open whitelist regex.
diff --git a/build.xml b/build.xml
@@ -4,7 +4,7 @@
 	<property file="build.secret.properties"/>
 	<property name="project.build.artifactdir" value="./artifacts/"/>
 	<property name="project.build.publishdir" value="./artifacts/"/>
-	<property name="project.build.version" value="2.4.20"/>
+	<property name="project.build.version" value="2.5.00"/>
 	
 	<!-- Setup classpath for js-build-tools ant tasks -->
 	<path id="js-build-tasks.classpath">
diff --git a/src/cors/index.html b/src/cors/index.html
@@ -59,7 +59,7 @@
         // this file is by default set up to use Access Control - this means that it will use the headers set by the server to decide whether or not to allow the call to return
         var useAccessControl = true;
         // always trusted origins, can be exact strings or regular expressions
-        var alwaysTrustedOrigins = [(/\.?easyxdm\.net/), (/xdm1/)];
+        var alwaysTrustedOrigins = ["https://consumer.easyxdm.net"];
         
         // instantiate a new easyXDM object which will handle the request 
         var remote = new easyXDM.Rpc({
