| Summary: | ASTERISK-21278: stasis-http Cross-Origin configuration | ||
| Reporter: | David M. Lee (dlee) | Labels: | Asterisk12 |
| Date Opened: | 2013-03-15 09:48:34 | Date Closed: | 2013-07-12 12:53:01 |
| Priority: | Major | Regression? | |
| Status: | Closed/Complete | Components: | Core/Stasis Resources/res_ari |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | {{stasis-http}} currently does not check the Origin header of any requests, which could open the API up for cross-site scripting hacks.
The user should be allowed to configure a list of allowed Origin's (which could be set to {{*}} to allow all). There are a list of TODO's in {{process_cors_request()}} and {{handle_options()}} for what to do to complete fulfilling this section of [the CORS spec|http://www.w3.org/TR/cors/]. The sample config should be something like this: {code:none} [general] ;allowed_origins = ; Comma separated list of allowed origins, for ; ; Cross-Origin Resource Sharing. May be set to * to allow ; ; all origins. {code} | ||
| Comments: | |||