On 27.08.2013 03:27, Matt Basta wrote: > It should be noted that CORSing without discretion can render CSRF > protection completely useless. If your site adds the > Access-Control-Allow-Credentials header, malicious sites can detect > whether a user is logged in, manipulate user data, or do other nasty > things to your users. For APIs, though, this generally isn't an issue > (and who uses cookies with their API anyway?) >
iirc whitelisting all (i.e. *) means anonymous CORS. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
