[
https://issues.apache.org/jira/browse/FINERACT-879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17423723#comment-17423723
]
Francis Guchie commented on FINERACT-879:
-----------------------------------------
[~rrpawar] [~ikimbrah]
I have done the following
# Latest build - thanks to [~rrpawar]
# I get a successful login
# I have discovered that CORS is not fully enabled due to the *" Refined
overly permissive Cross-Origin Resource Sharing -CORS"*
Look at the response below **
XHRGEThttps://<myserver>/fineract-provider/api/v1/self/clients
CORS Missing Allow Origin
1
{"timestamp":1633293554269,"status":401,"error":"Unauthorized",
"message":"","path":"/fineract-provider/api/v1/self/clients"}
As you can see this means CORS is enabled but the other filters are not
considered
We need something like this example for tomcat-9
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
</init-param>
> Refine overly permissive Cross-Origin Resource Sharing (CORS) policy
> --------------------------------------------------------------------
>
> Key: FINERACT-879
> URL: https://issues.apache.org/jira/browse/FINERACT-879
> Project: Apache Fineract
> Issue Type: Bug
> Components: Security
> Reporter: Michael Vorburger
> Assignee: Rahul Pawar
> Priority: Critical
> Labels: technical
>
> FINERACT-853 has identified the following which we should probably do
> something about:
> Security Warnings
> Code Warning
> SECCORS The program defines an overly permissive Cross-Origin Resource
> Sharing (CORS) policy
>
> Details
> PERMISSIVE_CORS: Overly permissive CORS policy
> Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures
> that in order for JavaScript to access the contents of a Web page, both the
> JavaScript and the Web page must originate from the same domain. Without the
> Same Origin Policy, a malicious website could serve up JavaScript that loads
> sensitive information from other websites using a client's credentials, cull
> through it, and communicate it back to the attacker. HTML5 makes it possible
> for JavaScript to access data across domains if a new HTTP header called
> Access-Control-Allow-Origin is defined. With this header, a Web server
> defines which other domains are allowed to access its domain using
> cross-origin requests. However, caution should be taken when defining the
> header because an overly permissive CORS policy will allow a malicious
> application to communicate with the victim application in an inappropriate
> way, leading to spoofing, data theft, relay and other attacks.
> Vulnerable Code:
> {{response.addHeader("Access-Control-Allow-Origin", "*");}}
> Solution:
> Avoid using * as the value of the Access-Control-Allow-Origin header, which
> indicates that the application's data is accessible to JavaScript running on
> any domain.
> References
> [W3C Cross-Origin Resource Sharing|https://www.w3.org/TR/cors/]
> [Enable Cross-Origin Resource Sharing|http://enable-cors.org/]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
