add security tab?

[jht5945]

enable-cors have these tabs:

Home
Server
Client
Resources
Test
Suggest!
Help!

should we add a security tab, security is so important I think.

[monsur]

Were there particular topics within security you'd like to see covered? Its simple enough to add a new tab, the question is what topics to cover, and where that content comes from. Thanks!

[jht5945]

I'm not good at CORS.

But I know * is very dangerous, and the method TRACE is also very dangerous(will display back the cookie you send, including HttpOnly cookie).

[jht5945]

and what about this:

The attacker may trigger x-domain requests through AJAX, although he 
cannot read the responses
 CSRF exploits
 Invisible Arbitrary CSRF File Upload – Kotowicz [4]
var xhr = new XMLHttpRequest();
xhr.open("POST",[URL], true);
xhr.withCredentials = true;
http.send();

ref: https://www.owasp.org/images/7/7c/Gentile_OWASP_EU_Tour_2013.pdf

[monsur]

BTW, if you are interested in learning more about CORS security, my book CORS in Action was just released this month. There is a section in Chapter 6 covering CORS security.

[monsur]

Note that I'm also going to close this issue since it was also mentioned in #70. Let's take this discussion there in order to keep things together.