[jira] [Commented] (COUCHDB-2444) Mirror CORS domains
[ https://issues.apache.org/jira/browse/COUCHDB-2444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14201822#comment-14201822 ] Dale Harvey commented on COUCHDB-2444: -- Authentication from wildcard origins does not validate the spec, the spec doesnt specify the possible functionality of the servers ability to authenticate requests from wherever it chooses, it just specifies the valid server responses Mirror CORS domains --- Key: COUCHDB-2444 URL: https://issues.apache.org/jira/browse/COUCHDB-2444 Project: CouchDB Issue Type: Improvement Security Level: public(Regular issues) Components: HTTP Interface Reporter: Zachary Lym Most APIs that support CORS specify acceptable domains not with a wildcard but by mirroring the caller. I believe that this is an XSS mitigation technique but it would also allow cookie-based authentication on domains (which are blocked when a wildcard is used to specify the domains). If this capability exists, then it should be documented it in interface highlighted in the CORS documentation. [PouchDB cross-pollination|https://github.com/pouchdb/pouchdb/issues/896]. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (COUCHDB-2444) Mirror CORS domains
[ https://issues.apache.org/jira/browse/COUCHDB-2444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14201186#comment-14201186 ] Alexander Shorin commented on COUCHDB-2444: --- How does it different from the allowing (and violating the specification) authentication with wildcard origins? Mirror CORS domains --- Key: COUCHDB-2444 URL: https://issues.apache.org/jira/browse/COUCHDB-2444 Project: CouchDB Issue Type: Improvement Security Level: public(Regular issues) Components: HTTP Interface Reporter: Zachary Lym Most APIs that support CORS specify acceptable domains not with a wildcard but by mirroring the caller. I believe that this is an XSS mitigation technique but it would also allow cookie-based authentication on domains (which are blocked when a wildcard is used to specify the domains). If this capability exists, then it should be documented it in interface highlighted in the CORS documentation. [PouchDB cross-pollination|https://github.com/pouchdb/pouchdb/issues/896]. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (COUCHDB-2444) Mirror CORS domains
[ https://issues.apache.org/jira/browse/COUCHDB-2444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14201474#comment-14201474 ] Zachary Lym commented on COUCHDB-2444: -- No, it will prevent local XSS attacks as it locks down the origin to the domain making the initial request. Given how well CouchDB serves as an API backend, I think that such functionality is highly desirable. If you must lock it down further, then perhaps you could just restrict CORS auth-functionality in the same way it's blocked for wildcard domains. Mirror CORS domains --- Key: COUCHDB-2444 URL: https://issues.apache.org/jira/browse/COUCHDB-2444 Project: CouchDB Issue Type: Improvement Security Level: public(Regular issues) Components: HTTP Interface Reporter: Zachary Lym Most APIs that support CORS specify acceptable domains not with a wildcard but by mirroring the caller. I believe that this is an XSS mitigation technique but it would also allow cookie-based authentication on domains (which are blocked when a wildcard is used to specify the domains). If this capability exists, then it should be documented it in interface highlighted in the CORS documentation. [PouchDB cross-pollination|https://github.com/pouchdb/pouchdb/issues/896]. -- This message was sent by Atlassian JIRA (v6.3.4#6332)