You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"Access-Control-Allow-Origin: *" Is set, granting any domain access to CORS resources. There should be a white-list in the configuration that lists allowed Origin headers.
The issue is made worse with "Access-Control-Allow-Credentials: true". Now that any domain can access the endpoints, they also can also authenticate as another user. This can be done by sending a crafted link to a user who is logged in (presumably, unless session token is persistent) - once clicked, the script would send a CORS request to sensitive endpoints and the browser would send along their cookies since "Access-Control-Allow-Credentials: true" is set.
The text was updated successfully, but these errors were encountered:
https://github.com/q191201771/lal/blob/92252c8b91004301b13e353063a1a9f1a362969a/pkg/base/cors.go#L13C1-L17
"Access-Control-Allow-Origin: *" Is set, granting any domain access to CORS resources. There should be a white-list in the configuration that lists allowed Origin headers.
The issue is made worse with "Access-Control-Allow-Credentials: true". Now that any domain can access the endpoints, they also can also authenticate as another user. This can be done by sending a crafted link to a user who is logged in (presumably, unless session token is persistent) - once clicked, the script would send a CORS request to sensitive endpoints and the browser would send along their cookies since "Access-Control-Allow-Credentials: true" is set.
The text was updated successfully, but these errors were encountered: