scorelab / Stackle

Stackle is an web communication portal aimed at providing Open Source organizations a platform to have discussions on their github projects and their issues. It provides Github intergration which allows adminstrator of an organization to create a forum thread for the particualr organization. Users signing in is able to view forums of the organizations they contribute to and engage in the forum discussions.
Apache License 2.0
104 stars 146 forks source link

Cross-Domain Misconfiguration on Stackle App #192

Open thishnika opened 3 years ago

thishnika commented 3 years ago

Fixes CWE-264, CWE-269, CWE-269 & WASC-14 vulnerabilities on Stackle-app

Changes proposed in the pull request

Configure the "Access-Control-Allow-Origin" HTTP response header to a more restrictive set of domains, instead of the wildcard (*)

Impact

Allows the web browsers to enforce the Same Origin Policy (SOP) in a more restrictive manner

Other information

References

  1. http://www.hpenterprisesecurity.com/vulncat/en/vulncat/vb/html5_overly_permissive_cors_policy.html
  2. https://www.packetlabs.net/cross-origin-resource-sharing-cors/