Closed tjvr closed 7 years ago
Here's the gist of my concern about this: any AJAX/XHR request from JS should Just Work™. I'm not sure if standard ajax/xhr request things add these headers?
XHR requests add CORS headers. I believe Origin
is part of the CORS spec. This should allow any JS requests, while disallowing casual browsing.
(btw, can you rebase this on master? Looks like there are some conflicts in the test files)
done :)
Based on the previous PR #68, this delightful piece of code sends a 403 if people try to access crossorigin from:
Pros:
Cons:
curl -H 'Origin: foo' ...