Skip to content

CORS Security Fix
Compare
Choose a tag to compare
@elithrar elithrar released this 01 Nov 17:45
v1.3.0
9066371
  • Fixes a security issue where Access-Control-Allow-Origin would reflect the Origin header in the request, which has different (and worse) security vs. returning an explicit "*". Thanks to @ejcx for reporting and fixing.

CHANGELOG

9066371 [bugfix] Don't return the origin header when configured to * (#116)

Assets 2
Loading