[jira] [Commented] (FINERACT-879) Refine overly permissive Cross-Origin Resource Sharing (CORS) policy

Sun, 10 May 2020 07:42:09 -0700 


    [ 
https://issues.apache.org/jira/browse/FINERACT-879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17103825#comment-17103825
 ] 

Michael Vorburger commented on FINERACT-879:
--------------------------------------------

This also came up in FINERACT-969... [~giorgio] do you happen do be able to 
contribute a PR to fix whatever needs to be done to address this, or elaborate 
further on what instead of "*" it should be? (I don't actually know what 
exactly is required to be done how / where....)

> Refine overly permissive Cross-Origin Resource Sharing (CORS) policy
> --------------------------------------------------------------------
>
>                 Key: FINERACT-879
>                 URL: https://issues.apache.org/jira/browse/FINERACT-879
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: Security
>            Reporter: Michael Vorburger
>            Priority: Major
>              Labels: technical
>
> FINERACT-853 has identified the following which we should probably do 
> something about:
> Security Warnings
> Code  Warning
> SECCORS       The program defines an overly permissive Cross-Origin Resource 
> Sharing (CORS) policy
>       
> Details
> PERMISSIVE_CORS: Overly permissive CORS policy
> Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures 
> that in order for JavaScript to access the contents of a Web page, both the 
> JavaScript and the Web page must originate from the same domain. Without the 
> Same Origin Policy, a malicious website could serve up JavaScript that loads 
> sensitive information from other websites using a client's credentials, cull 
> through it, and communicate it back to the attacker. HTML5 makes it possible 
> for JavaScript to access data across domains if a new HTTP header called 
> Access-Control-Allow-Origin is defined. With this header, a Web server 
> defines which other domains are allowed to access its domain using 
> cross-origin requests. However, caution should be taken when defining the 
> header because an overly permissive CORS policy will allow a malicious 
> application to communicate with the victim application in an inappropriate 
> way, leading to spoofing, data theft, relay and other attacks.
> Vulnerable Code:
> {{response.addHeader("Access-Control-Allow-Origin", "*");}}
> Solution:
> Avoid using * as the value of the Access-Control-Allow-Origin header, which 
> indicates that the application's data is accessible to JavaScript running on 
> any domain.
> References
> [W3C Cross-Origin Resource Sharing|https://www.w3.org/TR/cors/]
> [Enable Cross-Origin Resource Sharing|http://enable-cors.org/]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to