Closed taoeffect closed 8 years ago
Hapi is a framework, which does very, very little out of the box. Enabling CORS with this plugin allows cross origin request with credentials from any domain, which is not allowed by default in CORS’ design. It’s cool because it works be default it works out of the box as you say, but it is potentially a security issue. You shouldn’t use it with simple cookie based authentication as it makes it super simple to steal a session from any domain. I’ll close this issue as it’s not a bug that needs fixing, but feel free to comment if you have another question
So, I get the part about the security issue, but why isn't it a simple config option in Hapi to say: allowedDomains: ['domain1.com', 'domain2.com']
?
¯_(ツ)_/¯
Is that something that's relatively easy to implement?
If so could this plugin implement it?
I honestly don’t know, best would be to discuss this in the hapi repository. I don’t know the inner working of hapi, I’m just a user myself :)
@gr2m ok, per your suggestion i opened https://github.com/hapijs/discuss/issues/262.
I spent several hours trying to figure out how to get Hapi to simply respond to AJAX requests from
localhost:8080
tolocalhost:3000
, and never did figure it out. It was only by installing this thing that things started working.I did not realize I was supposed to write 25 lines of code to get this simple behavior working. It would be great if this was a simple and clear thing to do in Hapi without additional plugins.
Also ref: https://github.com/hapijs/discuss/issues/57#issuecomment-202183671