#1731 CORS enabled by default for all HTTP services
Reporter
MattJ
Owner
MattJ
Created
Updated
Stars
★ (1)
Tags
Milestone-0.12
Status-Fixed
Type-Defect
Priority-Medium
MattJ
on
What steps will reproduce the problem?
1. Write a HTTP module
2. Enable it and make a request to it in Prosody 0.12.0
3. Observe CORS headers in response that disable same-origin restrictions
What is the expected output?
Although same-origin restrictions are irrelevant for all HTTP services bundled with Prosody by default, the restrictions are not irrelevant for all possible HTTP services. Disabling same-origin restrictions by default on services that depend on them for security may be dangerous.
CORS should be opt-in for module developers, rather than opt-out.
What version of the product are you using? On what operating system?
Prosody 0.12.0.
What steps will reproduce the problem? 1. Write a HTTP module 2. Enable it and make a request to it in Prosody 0.12.0 3. Observe CORS headers in response that disable same-origin restrictions What is the expected output? Although same-origin restrictions are irrelevant for all HTTP services bundled with Prosody by default, the restrictions are not irrelevant for all possible HTTP services. Disabling same-origin restrictions by default on services that depend on them for security may be dangerous. CORS should be opt-in for module developers, rather than opt-out. What version of the product are you using? On what operating system? Prosody 0.12.0.
Fixed in 0.12 by https://hg.prosody.im/trunk/rev/b33558969b3e
Changes