docs: warn about dangerous origin:true + credentials:true combination#424
Open
luisangelrod wants to merge 2 commits into
Open
docs: warn about dangerous origin:true + credentials:true combination#424luisangelrod wants to merge 2 commits into
luisangelrod wants to merge 2 commits into
Conversation
|
The warning is clear. One small addition that might prevent copy-paste mistakes is showing the dynamic allowlist shape, not only the static array case, since many apps need env-specific or tenant-specific origins. A short |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two targeted documentation warnings about the security risk of combining
origin: truewithcredentials: true, as requested in #422.When
originistrue, the package reflects whatever origin the browser sends directly intoAccess-Control-Allow-Origin. When also combined withAccess-Control-Allow-Credentials: true, this effectively grants every website on the internet the ability to make credentialed (cookie-bearing) cross-origin requests and read the responses — the same risk asorigin: '*'with credentials, but without the explicit*that would at least make the intent obvious.Changes
origin: truebullet: appended a bold cross-reference to thecredentialsoption warningcredentialsbullet: added a blockquote security note explaining the exact mechanism and recommending an explicit allowlist insteadCloses #422