csp-logger can optionally return CORS headers, but it can be a security problem allowing for a DDOS.
I guess we could use the whitelist as allowed CORS domains and add a 'overrideCORS' config option to configuration in case the user wants to set them differently.
But maybe it should be off by default and only enabled by config?
csp-logger can optionally return CORS headers, but it can be a security problem allowing for a DDOS.
I guess we could use the whitelist as allowed CORS domains and add a 'overrideCORS' config option to configuration in case the user wants to set them differently.
But maybe it should be off by default and only enabled by config?