It should be noted that CORSing without discretion can render CSRF protection completely useless. If your site adds the Access-Control-Allow-Credentials header, malicious sites can detect whether a user is logged in, manipulate user data, or do other nasty things to your users. For APIs, though, this generally isn't an issue (and who uses cookies with their API anyway?)
----- Original Message ----- From: "Daniel Veditz" <[email protected]> To: [email protected] Cc: "Peter Bengtsson" <[email protected]>, [email protected], "Fred Wenzel" <[email protected]>, [email protected], [email protected] Sent: Monday, August 26, 2013 5:54:24 PM Subject: Re: [webdev] Why not CORS:*? On 8/26/2013 5:52 PM, Daniel Veditz wrote: > CORS: * is always safe for a public site, or at least as safe as your > application is for users of pre-CORS browsers. (maybe not so great for > intranet sites.) Meant to include a link to the authoritative blog on the subject: http://annevankesteren.nl/2012/12/cors-101 -Dan Veditz _______________________________________________ dev-webdev mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webdev _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
