Closed TheLalaMan closed 10 months ago
ecoben
commented
11 months ago +1 for making the CORS headers configurable (or block CORS altogether?) This would resolve the TODO mentioned previously in https://github.com/KaufmannDigital/KaufmannDigital.GDPR.CookieConsent/blob/5a18d72a9bb305b40bf3dd65ad50eaa44cd79c4e/Classes/Controller/ApiController.php#L50
Nikdro
commented
11 months ago Hey @ecoben and @TheLalaMan,
thanks for your Feedback. I'll have a look on it the next days and come back to you with details then :)
ecoben
commented
11 months ago @Nikdro and I have agreed on the following today:
ecoben
commented
10 months ago The PR by @ru3fu5z is ready for review: https://github.com/KaufmannDigital/KaufmannDigital.GDPR.CookieConsent/pull/52
Would you look into it when you find time, @Nikdro ?
A routine security scan made me aware of the fact that the plugin uses a rather insecure CORS header configuration:
Which in turn made me think about why the configuration is even there- I do not see the use case to allow Cross-origin requests in cookie plugin. Maybe you could explain that?
Also looking at the code I saw that for a long time there was a TODO related to the CORS header configuration to make this configurable, which would be beneficial for us.
I would be happy to assist with a PR once I fully understand the use case behind the loose CORS header configuration!