[Needs discussion] Bump of rs/cors and resulting issues

[dragonchaser]

Due to changes in rs/cors (rs/cors@4c32059#diff-bf80d8fbedf172fab9ba2604da7f7be972e48b2f78a8d0cd21619d5f93665895R367) we have a security issue that would cause some fallout in ALL clients. This security issue is valid and the fix in rs/cors needed, but the acceptance-factor in the community and developers of projects attached should be zero.

The change requires all Access-Control-Request-Headers to be lower-case and in alphabetical order.

We tried to enforce this in #9518 but realized that his might break ALL clients (web, desktop...)

Can we come up with a roadmap how to implement this?

For now we suggest the following:

• silence those security issues in the vulnerability scanner (go vuln-check) if possible
• merge all release relevant PRs to unblock us
• wait for clients to adapt the changes and then merge the remainders of bump reva #9518

@TheOneRing @kulmann @micbar @dragotin can you please join the discussion on this since you are directly affected.

Client	Affected
Web	unknown
Moodle integration	unknown
Desktop client	unknown

[dragonchaser]

Silencing is not possible, see: golang/go#61211 we might have to disable the step in the pipeline.

[2403905]

I noticed that after bumping the upload of the big files became broken. We should keep an eye on it.

[butonic]

The bump just hurdens the parsing of malicious cors headers. Only browsers make preflight requests. So this does not affect any of our web, desktop or mobile developers. Just Merge.

[dragonchaser]

Closing not relevant to us.