[
https://issues.apache.org/jira/browse/COUCHDB-2444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14201474#comment-14201474
]
Zachary Lym commented on COUCHDB-2444:
--------------------------------------
No, it will prevent local XSS attacks as it locks down the origin to the domain
making the initial request. Given how well CouchDB serves as an API backend, I
think that such functionality is highly desirable.
If you must lock it down further, then perhaps you could just restrict CORS
auth-functionality in the same way it's blocked for wildcard domains.
> Mirror CORS domains
> -------------------
>
> Key: COUCHDB-2444
> URL: https://issues.apache.org/jira/browse/COUCHDB-2444
> Project: CouchDB
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: HTTP Interface
> Reporter: Zachary Lym
>
> Most APIs that support CORS specify acceptable domains not with a wildcard
> but by mirroring the caller. I believe that this is an XSS mitigation
> technique but it would also allow cookie-based authentication on domains
> (which are blocked when a wildcard is used to specify the domains).
> If this capability exists, then it should be documented it in interface
> highlighted in the CORS documentation.
> [PouchDB cross-pollination|https://github.com/pouchdb/pouchdb/issues/896].
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
