jdesrosiers
commented
7 years ago @slipo I had no idea that "null" could be exploited like that. Thanks for the PR and the reference links!
Closed slipo closed 7 years ago
jdesrosiers
commented
7 years ago @slipo I had no idea that "null" could be exploited like that. Thanks for the PR and the reference links!
I know this has been brought up here: https://github.com/jdesrosiers/silex-cors-provider/issues/25
But really "null" should not be the default where there's no origin match. Its use is now discouraged.
Here's some more info: https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null https://web-in-security.blogspot.de/2017/07/cors-misconfigurations-on-large-scale.html http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html https://www.youtube.com/watch?v=wgkj4ZgxI4c