search

steedos / steedos-platform

Steedos is an open-source alternative to Salesforce Low-Code Platform. 🤖 🎨 🚀 Built on nodejs, mongodb, react, amis.
https://www.steedos.org
Other
1.36k stars 385 forks source link

[Bug]: sockjs/info 请求中Access-Control-Allow-Origin为*,存在安全隐患 #6964

Closed chenzhipei closed 1 month ago

chenzhipei commented 1 month ago

Description

客户漏扫报告反馈:CORS(跨站资源共享)原始验证失败 经检查,发现sockjs/info请求存在此问题 版本:2.6

Steps To Reproduce 重现步骤

访问2.6服务,查看请求sockjs/info,response_headers中 Access-Control-Allow-Origin为*

Version 版本

2.6

sunhaolin commented 1 month ago

ff3716b5435f36644aa77f696f878d48faf1f906

sunhaolin commented 1 month ago

meteor依赖的npm包sockjs始终返回Access-Control-Allow-Origin为*,故通过nginx配置解决