Is it safe to use the value of header Access-Control-Request-Headers for setting the...
I found some code in some koa cors middlewares for setting Access-Control-Allow-Headers like below:
if (options.allowHeaders) {
ctx.set('Access-Control-Allow-Headers', options.allowHeaders.join(','));
} else {
ctx.set('Access-Control-Allow-Headers', ctx.get('Access-Control-Request-Headers'));
}
I have a question of that if it is safe to use the value of Access-Control-Request-Headers for Access-Control-Allow-Headers or maybe I misunderstand the usage of the Access-Control-Request-Headers.
javascript security cors http-headers
asked Nov 12 '18 at 3:58
LCB
456415
add a comment |
I found some code in some koa cors middlewares for setting Access-Control-Allow-Headers like below:
if (options.allowHeaders) {
ctx.set('Access-Control-Allow-Headers', options.allowHeaders.join(','));
} else {
ctx.set('Access-Control-Allow-Headers', ctx.get('Access-Control-Request-Headers'));
}
I have a question of that if it is safe to use the value of Access-Control-Request-Headers for Access-Control-Allow-Headers or maybe I misunderstand the usage of the Access-Control-Request-Headers.
javascript security cors http-headers
asked Nov 12 '18 at 3:58
LCB
456415
1
What do you imagine would make it unsafe? What would you imagine koa cors should do differently? If you actually us koa cors, you always have the option of explicitly specifying which request headers you want to allow. So is there some other problem you’re trying to solve? Nobody can tell you that doing something is absolutely safe. For one thing, it depends on what specific request headers your frontend code might be sending.
– sideshowbarker
Nov 12 '18 at 4:05
add a comment |
I found some code in some koa cors middlewares for setting Access-Control-Allow-Headers like below:
if (options.allowHeaders) {
ctx.set('Access-Control-Allow-Headers', options.allowHeaders.join(','));
} else {
ctx.set('Access-Control-Allow-Headers', ctx.get('Access-Control-Request-Headers'));
}
I have a question of that if it is safe to use the value of Access-Control-Request-Headers for Access-Control-Allow-Headers or maybe I misunderstand the usage of the Access-Control-Request-Headers.
javascript security cors http-headers
asked Nov 12 '18 at 3:58
LCB
456415
I found some code in some koa cors middlewares for setting Access-Control-Allow-Headers like below:
if (options.allowHeaders) {
ctx.set('Access-Control-Allow-Headers', options.allowHeaders.join(','));
} else {
ctx.set('Access-Control-Allow-Headers', ctx.get('Access-Control-Request-Headers'));
}
I have a question of that if it is safe to use the value of Access-Control-Request-Headers for Access-Control-Allow-Headers or maybe I misunderstand the usage of the Access-Control-Request-Headers.
javascript security cors http-headers
javascript security cors http-headers
asked Nov 12 '18 at 3:58
LCB
456415
asked Nov 12 '18 at 3:58
LCB
456415
asked Nov 12 '18 at 3:58
LCB
456415
asked Nov 12 '18 at 3:58
LCB
456415
asked Nov 12 '18 at 3:58
LCB
456415
456415
1
What do you imagine would make it unsafe? What would you imagine koa cors should do differently? If you actually us koa cors, you always have the option of explicitly specifying which request headers you want to allow. So is there some other problem you’re trying to solve? Nobody can tell you that doing something is absolutely safe. For one thing, it depends on what specific request headers your frontend code might be sending.
– sideshowbarker
Nov 12 '18 at 4:05
add a comment |
1
What do you imagine would make it unsafe? What would you imagine koa cors should do differently? If you actually us koa cors, you always have the option of explicitly specifying which request headers you want to allow. So is there some other problem you’re trying to solve? Nobody can tell you that doing something is absolutely safe. For one thing, it depends on what specific request headers your frontend code might be sending.
– sideshowbarker
Nov 12 '18 at 4:05
1
1
What do you imagine would make it unsafe? What would you imagine koa cors should do differently? If you actually us koa cors, you always have the option of explicitly specifying which request headers you want to allow. So is there some other problem you’re trying to solve? Nobody can tell you that doing something is absolutely safe. For one thing, it depends on what specific request headers your frontend code might be sending.
– sideshowbarker
Nov 12 '18 at 4:05
What do you imagine would make it unsafe? What would you imagine koa cors should do differently? If you actually us koa cors, you always have the option of explicitly specifying which request headers you want to allow. So is there some other problem you’re trying to solve? Nobody can tell you that doing something is absolutely safe. For one thing, it depends on what specific request headers your frontend code might be sending.
– sideshowbarker
Nov 12 '18 at 4:05
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53255777%2fis-it-safe-to-use-the-value-of-header-access-control-request-headers-for-setting%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53255777%2fis-it-safe-to-use-the-value-of-header-access-control-request-headers-for-setting%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
What do you imagine would make it unsafe? What would you imagine koa cors should do differently? If you actually us koa cors, you always have the option of explicitly specifying which request headers you want to allow. So is there some other problem you’re trying to solve? Nobody can tell you that doing something is absolutely safe. For one thing, it depends on what specific request headers your frontend code might be sending.
– sideshowbarker
Nov 12 '18 at 4:05