[SEMVER-MAJOR] Don't send Access-Control-Allow-Credentials by default.#293
[SEMVER-MAJOR] Don't send Access-Control-Allow-Credentials by default.#293STRML wants to merge 1 commit into
Conversation
| .set('Origin', url) | ||
| .send({ person: 'ABC' }) | ||
| .end(function(err, res) { | ||
| assert(res.headers['Access-Control-Allow-Origin'] === undefined); |
There was a problem hiding this comment.
Just a note - these were always undefined as the headers are lowercase.
|
@STRML thank you for the pull request. I don't have a strong opinion on this change, therefore I am fine to go with your proposal. @raymondfeng @ritch @fabien @strongloop/loopback-dev any objections? I feel this is a breaking change that should not be back-ported to 2.x. However, we can change the setting value used by applications scaffolded via |
|
I would label this as a security fix and release as semver-minor with 2.x. |
I am afraid this is not true, we don't encourage using accessToken cookies. The minimal loopback application relies on var app = loopback();
app.use(loopback.rest());
app.listen();Also IIUC CORS docs at MDN correctly,
I am closing this pull request as rejected. @STRML I am happy to change my mind if you can provide more arguments supporting your case. |
|
Two things:
I strongly believe we should have secure defaults and |
|
@STRML thanks, let's reopen the PR and the discussion.
Good point, I agree.
As far as I understand
I understand your point of view and I agree the default configuration should be secure. From my point of view, loopback/strong-remoting is for building REST API servers. In my (possibly limited) experience, most APIs are accessed by cross-origin clients, therefore it makes sense to make LoopBack apps CORS-enabled by default. BTW the current defaults were introduced by #93 in response to a mailing-list discussion where people got confused about how to configure CORS in their apps: https://groups.google.com/forum/#!topic/loopbackjs/y7vB4RFDS0E Let me also describe the bigger picture. LoopBack applications scaffolded via In that light, perhaps this will be the best approach:
@raymondfeng @ritch @qpresley @rmg do you have any opinion on this topic? |
|
If I understand the conversation so far, the current defaults are:
Does that sum up the challenges with this PR? Changing the default in the module definitely seems like a semver-major change, since anyone relying on it will be very disappointed if their app suddenly stops working from a semver-minor or semver-patch update. This seems pretty straight forward as far as impact of the change. Updating the scaffolding to include a description of the setting and what the implications are for the different use-cases sounds like the right way to address this for loopback 2.x. Explicitly setting configurable values to their defaults is generally a good idea for scaffolding since it prevents accidental breakage from changes in default values like this. |
Sounds right to me. Our use case is API+SPA where this default is unsafe. |
|
Closing in favour of #352. |
This is a very dangerous header to be sending. Given that strong-remoting/loopback encourages the use of
accessTokencookies, I see no reason why we should not have secure defaults and make the user decide whether or not to open this vector.