You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The bump just hurdens the parsing of malicious cors headers. Only browsers make preflight requests. So this does not affect any of our web, desktop or mobile developers. Just Merge.
Due to changes in rs/cors (rs/cors@4c32059#diff-bf80d8fbedf172fab9ba2604da7f7be972e48b2f78a8d0cd21619d5f93665895R367) we have a security issue that would cause some fallout in ALL clients. This security issue is valid and the fix in rs/cors needed, but the acceptance-factor in the community and developers of projects attached should be zero.
The change requires all
Access-Control-Request-Headers
to be lower-case and in alphabetical order.We tried to enforce this in #9518 but realized that his might break ALL clients (web, desktop...)
Can we come up with a roadmap how to implement this?
For now we suggest the following:
@TheOneRing @kulmann @micbar @dragotin can you please join the discussion on this since you are directly affected.
The text was updated successfully, but these errors were encountered: