Skip to content

docs: warn about dangerous origin:true + credentials:true combination#424

Open
luisangelrod wants to merge 2 commits into
expressjs:masterfrom
luisangelrod:docs/warn-origin-true-credentials
Open

docs: warn about dangerous origin:true + credentials:true combination#424
luisangelrod wants to merge 2 commits into
expressjs:masterfrom
luisangelrod:docs/warn-origin-true-credentials

Conversation

@luisangelrod

Copy link
Copy Markdown

Summary

Adds two targeted documentation warnings about the security risk of combining origin: true with credentials: true, as requested in #422.

When origin is true, the package reflects whatever origin the browser sends directly into Access-Control-Allow-Origin. When also combined with Access-Control-Allow-Credentials: true, this effectively grants every website on the internet the ability to make credentialed (cookie-bearing) cross-origin requests and read the responses — the same risk as origin: '*' with credentials, but without the explicit * that would at least make the intent obvious.

Changes

  • origin: true bullet: appended a bold cross-reference to the credentials option warning
  • credentials bullet: added a blockquote security note explaining the exact mechanism and recommending an explicit allowlist instead

Closes #422

@hiSandog

Copy link
Copy Markdown

The warning is clear. One small addition that might prevent copy-paste mistakes is showing the dynamic allowlist shape, not only the static array case, since many apps need env-specific or tenant-specific origins. A short origin: function (origin, callback) { ... } example near this warning would make the safer alternative concrete for users who originally reached for origin: true because their origin list was not static.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add a note in the docs about origin: true and credentials: true being dangerous

2 participants