You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@couchdb.apache.org by "Zachary Lym (JIRA)" <ji...@apache.org> on 2014/11/07 00:14:34 UTC

[jira] [Created] (COUCHDB-2444) Mirror CORS domains

Zachary Lym created COUCHDB-2444:
------------------------------------

             Summary: Mirror CORS domains
                 Key: COUCHDB-2444
                 URL: https://issues.apache.org/jira/browse/COUCHDB-2444
             Project: CouchDB
          Issue Type: Improvement
      Security Level: public (Regular issues)
          Components: HTTP Interface
            Reporter: Zachary Lym


Most APIs that support CORS specify acceptable domains not with a wildcard but by mirroring the caller.  I believe that this is an XSS mitigation technique but it would also allow cookie-based authentication on domains (which are blocked when a wildcard is used to specify the domains).

If this capability exists, then it should be documented it in interface highlighted in the CORS documentation.

[PouchDB cross-pollination|https://github.com/pouchdb/pouchdb/issues/896].



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)