At step 3 in the W3C Cross Origin Resource Sharing recommendations (http://ift.tt/13IBXvZ) it states:
If the resource supports credentials add a single Access-Control-Allow-Origin header, with the value of the Origin header as value, and add a single Access-Control-Allow-Credentials header with the case-sensitive string "true" as value.
Otherwise, add a single Access-Control-Allow-Origin header, with either the value of the Origin header or the string "*" as value.
The string "*" cannot be used for a resource that supports credentials.
This is then reflected in code like this:
if (policy.AllowAnyOrigin)
{
if (policy.SupportsCredentials)
{
result.AllowedOrigin = origin;
result.VaryByOrigin = true;
}
else
{
result.AllowedOrigin = CorsConstants.AnyOrigin;
}
}
else if (policy.Origins.Contains(origin))
{
result.AllowedOrigin = origin;
}
My question is how is this at all secure? What is the point of a browser refusing * in the allowed origins when credentials are allowed if the server is instructed just to work around the restriction anyway?
Aucun commentaire:
Enregistrer un commentaire