Skip to content

Add a note in the docs about origin: true and credentials: true being dangerous #422

Description

@jonchurch

We can't document all the ways to misconfigure CORS, but I think we can add a note about this particular combination somewhere near the credentials: true docs.

With origin: true and credentials: true, cors reflects any request Origin into Access-Control-Allow-Origin and sets Access-Control-Allow-Credentials: true, so a page on any origin can read responses to credentialed (cookie-bearing) requests. Because Access-Control-Allow-Credentials: true can't be combined with Access-Control-Allow-Origin: *, reflecting the origin is a common workaround that quietly opens this hole.

Perhaps in future versions we could choose to prevent such a configuration, but for now we can consider adding a note to the docs.

ref (closed, private) https://github.com/expressjs/cors/security/advisories/GHSA-8gfh-8qhq-hv6f

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions