You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by "Zachary Lym (JIRA)" <ji...@apache.org> on 2014/11/07 23:37:34 UTC
[jira] [Updated] (COUCHDB-2444) Mirror CORS domains
[ https://issues.apache.org/jira/browse/COUCHDB-2444?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Zachary Lym updated COUCHDB-2444:
---------------------------------
Description:
Most APIs that support CORS specify acceptable domains *not* with a wildcard but by mirroring the caller's origin. I believe that this is mainly a XSS mitigation technique.
This is an important feature because the CORS specification blocks cookie-based authentication when using wildcard domains. This is the only viable method for enabling clients of CouchDB backed APIs to use cookie based authentication.
[PouchDB cross-pollination|https://github.com/pouchdb/pouchdb/issues/896].
EDIT: clarified situation, relation to spec and security.
was:
Most APIs that support CORS specify acceptable domains not with a wildcard but by mirroring the caller. I believe that this is an XSS mitigation technique but it would also allow cookie-based authentication on domains (which are blocked when a wildcard is used to specify the domains).
If this capability exists, then it should be documented it in interface highlighted in the CORS documentation.
[PouchDB cross-pollination|https://github.com/pouchdb/pouchdb/issues/896].
Labels: cors security (was: )
> Mirror CORS domains
> -------------------
>
> Key: COUCHDB-2444
> URL: https://issues.apache.org/jira/browse/COUCHDB-2444
> Project: CouchDB
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: HTTP Interface
> Reporter: Zachary Lym
> Labels: cors, security
>
> Most APIs that support CORS specify acceptable domains *not* with a wildcard but by mirroring the caller's origin. I believe that this is mainly a XSS mitigation technique.
> This is an important feature because the CORS specification blocks cookie-based authentication when using wildcard domains. This is the only viable method for enabling clients of CouchDB backed APIs to use cookie based authentication.
> [PouchDB cross-pollination|https://github.com/pouchdb/pouchdb/issues/896].
> EDIT: clarified situation, relation to spec and security.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)