-
Notifications
You must be signed in to change notification settings - Fork 263
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting blank string origin in config allows all origins #139
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you pass in a blank string to
origins
in yourRack::Cors
-config……you allow all origins access.
The empty string is turned into a regex at
lib/rack/cors.rb:264
.Now, this probably wouldn't be typed in like this, but it could end up like this because of some mistake like this:
where that config is set to an empty string for whatever reason.
This, combined with the default setting of
true
forAccess-Control-Allow-Credentials
(see #126) could potentially be quite dangerous.The text was updated successfully, but these errors were encountered: