Fix for CORS vulnerability

Summary: Sites including the raw content of the distribution zip will be susceptible to a CORS attack due to the default cors/index.html file containing an open whitelist regex.
oyvindkinsey · Apr 8, 2019 · 2769b63 · 2769b63
1 parent a32ef15
commit 2769b63
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/build.xml b/build.xml
@@ -4,7 +4,7 @@
 	<property file="build.secret.properties"/>
 	<property name="project.build.artifactdir" value="./artifacts/"/>
 	<property name="project.build.publishdir" value="./artifacts/"/>
-	<property name="project.build.version" value="2.4.20"/>
+	<property name="project.build.version" value="2.5.00"/>
 
 	<!-- Setup classpath for js-build-tools ant tasks -->
 	<path id="js-build-tasks.classpath">

diff --git a/src/cors/index.html b/src/cors/index.html
@@ -59,7 +59,7 @@
         // this file is by default set up to use Access Control - this means that it will use the headers set by the server to decide whether or not to allow the call to return
         var useAccessControl = true;
         // always trusted origins, can be exact strings or regular expressions
-        var alwaysTrustedOrigins = [(/\.?easyxdm\.net/), (/xdm1/)];
+        var alwaysTrustedOrigins = ["https://consumer.easyxdm.net"];
 
         // instantiate a new easyXDM object which will handle the request 
         var remote = new easyXDM.Rpc({