#1731 CORS enabled by default for all HTTP services

Reporter MattJ
Owner MattJ
Stars ★ (1)
  • Milestone-0.12
  • Type-Defect
  • Priority-Medium
  • Status-Fixed
  1. MattJ on

    What steps will reproduce the problem? 1. Write a HTTP module 2. Enable it and make a request to it in Prosody 0.12.0 3. Observe CORS headers in response that disable same-origin restrictions What is the expected output? Although same-origin restrictions are irrelevant for all HTTP services bundled with Prosody by default, the restrictions are not irrelevant for all possible HTTP services. Disabling same-origin restrictions by default on services that depend on them for security may be dangerous. CORS should be opt-in for module developers, rather than opt-out. What version of the product are you using? On what operating system? Prosody 0.12.0.

  2. MattJ on

    Fixed in 0.12 by https://hg.prosody.im/trunk/rev/b33558969b3e

    • owner MattJ
    • tags Status-Fixed

New comment

Not published. Used for spam prevention and optional update notifications.