We can't document all the ways to misconfigure CORS, but I think we can add a note about this particular combination somewhere near the credentials: true docs.
With origin: true and credentials: true, cors reflects any request Origin into Access-Control-Allow-Origin and sets Access-Control-Allow-Credentials: true, so a page on any origin can read responses to credentialed (cookie-bearing) requests. Because Access-Control-Allow-Credentials: true can't be combined with Access-Control-Allow-Origin: *, reflecting the origin is a common workaround that quietly opens this hole.
Perhaps in future versions we could choose to prevent such a configuration, but for now we can consider adding a note to the docs.
ref (closed, private) https://github.com/expressjs/cors/security/advisories/GHSA-8gfh-8qhq-hv6f
We can't document all the ways to misconfigure CORS, but I think we can add a note about this particular combination somewhere near the
credentials: truedocs.With
origin: trueandcredentials: true,corsreflects any request Origin intoAccess-Control-Allow-Originand setsAccess-Control-Allow-Credentials: true, so a page on any origin can read responses to credentialed (cookie-bearing) requests. BecauseAccess-Control-Allow-Credentials: truecan't be combined withAccess-Control-Allow-Origin: *, reflecting the origin is a common workaround that quietly opens this hole.Perhaps in future versions we could choose to prevent such a configuration, but for now we can consider adding a note to the docs.
ref (closed, private) https://github.com/expressjs/cors/security/advisories/GHSA-8gfh-8qhq-hv6f