- From: Craig Francis <notifications@github.com>
- Date: Sun, 20 Mar 2016 13:24:52 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/251/199011818@github.com>
Just as a note, it is possible to use:
Access-Control-Allow-Origin: *
But `.withCredentials = true` on Chrome 49 will respond with:
XMLHttpRequest cannot load http://... A wildcard '*' cannot be
used in the 'Access-Control-Allow-Origin' header when the
credentials flag is true. Origin 'http://...' is therefore not
allowed access. The credentials mode of an XMLHttpRequest
is controlled by the withCredentials attribute.
And Firefox 45:
Cross-Origin Request Blocked: The Same Origin Policy disallows
reading the remote resource at http://... (Reason: CORS header
'Access-Control-Allow-Origin' does not match '*').
---
This is because we already have developers suggesting adding this header via the Apache config:
<VirtualHost ...>
Header set Access-Control-Allow-Origin: "*"
</VirtualHost>
https://www.google.co.uk/search?q=%22Header+set+Access-Control-Allow-Origin%22
Which would mean that a Simple CORS request (e.g. from a malicious website), could get content from the victim website (e.g. get the members profile page, and if the user is logged in, we can now retrieve their details, and maybe a CSRF token as well).
---
So maybe we do allow wildcards in:
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *
But like `Origin`, don't allow the wildcard when `.withCredentials = true`.
---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/251#issuecomment-199011818
Received on Sunday, 20 March 2016 20:25:20 UTC