Zachary Lym created COUCHDB-2444:
------------------------------------
Summary: Mirror CORS domains
Key: COUCHDB-2444
URL: https://issues.apache.org/jira/browse/COUCHDB-2444
Project: CouchDB
Issue Type: Improvement
Security Level: public (Regular issues)
Components: HTTP Interface
Reporter: Zachary Lym
Most APIs that support CORS specify acceptable domains not with a wildcard but
by mirroring the caller. I believe that this is an XSS mitigation technique
but it would also allow cookie-based authentication on domains (which are
blocked when a wildcard is used to specify the domains).
If this capability exists, then it should be documented it in interface
highlighted in the CORS documentation.
[PouchDB cross-pollination|https://github.com/pouchdb/pouchdb/issues/896].
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
