Comments (3)
fengmk2
commented on May 2, 2024
Setting request origin by default is more risky for browsers, so refer to industry practice such as expressjs to set it to * by default.
Since turning on the cors plugin is a user action, the default value is set instead of the null value, because if you want the null value, you can just introduce the cors plugin.
from cors.
panva
commented on May 2, 2024
Setting request origin by default is more risky for browsers
Could you please elaborate on this statement?
from cors.
julienw
commented on May 2, 2024
The subtle difference is with the behaviors around credentials (cookies especially). A request with credentials answered with Access-Control-Allow-Origin: "*" will returns an error in browsers, but with the right Origin credentials are accepted....
provided that Access-Control-Allow-Credentials: true is specified, which wasn't and still isn't the case by default.
(In short: I agree with you that the change didn't change anything)
from cors.
Related Issues (20)
- Bump npm latest version to 2
- npm audit reveals security vulnerabilities
- GMT koa deprecated Support for generators will be removed in v3. See the documentation for examples of how to convert old middleware https://github.com/koajs/koa/blob/master/docs/migration.md at server\index.js:6:5 HOT 3
- Docs: Installation modify HOT 1
- Header not set on error response HOT 2
- How to set CORS of static resources HOT 2
- should preflight request return 204 instead of 404 when origin not match?
- documentation missing: needs to be used before router HOT 1
- allowHeaders doesn't support functions? HOT 2
- Does this still maintains ?
- Integrate with @types/koa__cors
- How to set multiple domains ? HOT 2
- How to resolve socket cors HOT 1
- https://github.com/koajs/cors/blob/master/index.js#L138
- Access-Control-Request-Private-Network HOT 2
- Should default options allow null origin?
- Allow not returning any access control headers if the Origin is not allowed to access the resource HOT 1
- Overly permissive origin policy HOT 2
- Access-Control-Allow-Origin set to '*' even when 'Origin' is supplied HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cors.