We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
If you pass in a blank string to origins in your Rack::Cors-config…
origins
Rack::Cors
allow do origins '' ... end
…you allow all origins access.
The empty string is turned into a regex at lib/rack/cors.rb:264.
lib/rack/cors.rb:264
Now, this probably wouldn't be typed in like this, but it could end up like this because of some mistake like this:
allow do origins /\Amyactualappdomain[01]\.com\z/, APP_CONFIG.some_other_domain ... end
where that config is set to an empty string for whatever reason.
This, combined with the default setting of true for Access-Control-Allow-Credentials (see #126) could potentially be quite dangerous.
true
Access-Control-Allow-Credentials
The text was updated successfully, but these errors were encountered:
Ignore empty strings in Origin configuration
6ff9134
[Fixes #139]
No branches or pull requests
If you pass in a blank string to
originsin yourRack::Cors-config……you allow all origins access.
The empty string is turned into a regex at
lib/rack/cors.rb:264.Now, this probably wouldn't be typed in like this, but it could end up like this because of some mistake like this:
where that config is set to an empty string for whatever reason.
This, combined with the default setting of
trueforAccess-Control-Allow-Credentials(see #126) could potentially be quite dangerous.The text was updated successfully, but these errors were encountered: