cors icon indicating copy to clipboard operation
cors copied to clipboard

Published 20 hours ago verified publisher icon koajs

The default CORS configuration poses a security risk.

Open ConardLi opened this issue 1 year ago • 3 comments

I don't understand why the latest commit sets the default Access-Control-Allow-Origin to *. This makes no difference to setting it as the request Origin, as both will break the browser's same-origin policy restrictions. The safest option is to default to empty, letting users specify the origin value themselves.

https://github.com/koajs/cors/commit/f31dac99f5355c41e7d4dd3c4a80c5f154941a11

ConardLi avatar Dec 18 '23 08:12 ConardLi