It should be noted that CORSing without discretion can render CSRF protection completely useless. If your site adds the Access-Control-Allow-Credentials header, malicious sites can detect whether a user is logged in, manipulate user data, or do other nasty things to your users. For APIs, though, this generally isn't an issue (and who uses cookies with their API anyway?)
----- Original Message ----- From: "Daniel Veditz" <dved...@mozilla.com> To: pete...@mozilla.com Cc: "Peter Bengtsson" <pbengts...@mozilla.com>, dev-web...@lists.mozilla.org, "Fred Wenzel" <fwen...@mozilla.com>, dev-security@lists.mozilla.org, secur...@mozilla.com Sent: Monday, August 26, 2013 5:54:24 PM Subject: Re: [webdev] Why not CORS:*? On 8/26/2013 5:52 PM, Daniel Veditz wrote: > CORS: * is always safe for a public site, or at least as safe as your > application is for users of pre-CORS browsers. (maybe not so great for > intranet sites.) Meant to include a link to the authoritative blog on the subject: http://annevankesteren.nl/2012/12/cors-101 -Dan Veditz _______________________________________________ dev-webdev mailing list dev-web...@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-webdev _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
