[
https://issues.apache.org/jira/browse/COUCHDB-2444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14201822#comment-14201822
]
Dale Harvey commented on COUCHDB-2444:
--------------------------------------
Authentication from wildcard origins does not validate the spec, the spec
doesnt specify the possible functionality of the servers ability to
authenticate requests from wherever it chooses, it just specifies the valid
server responses
> Mirror CORS domains
> -------------------
>
> Key: COUCHDB-2444
> URL: https://issues.apache.org/jira/browse/COUCHDB-2444
> Project: CouchDB
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: HTTP Interface
> Reporter: Zachary Lym
>
> Most APIs that support CORS specify acceptable domains not with a wildcard
> but by mirroring the caller. I believe that this is an XSS mitigation
> technique but it would also allow cookie-based authentication on domains
> (which are blocked when a wildcard is used to specify the domains).
> If this capability exists, then it should be documented it in interface
> highlighted in the CORS documentation.
> [PouchDB cross-pollination|https://github.com/pouchdb/pouchdb/issues/896].
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
