From 2769b632c1dd8c0b1f36bdab9596b331bf499b95 Mon Sep 17 00:00:00 2001 From: Sean Kinsey Date: Mon, 8 Apr 2019 11:36:26 -0500 Subject: [PATCH] Fix for CORS vulnerability Summary: Sites including the raw content of the distribution zip will be susceptible to a CORS attack due to the default cors/index.html file containing an open whitelist regex. --- build.xml | 2 +- src/cors/index.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build.xml b/build.xml index fc0e3953..2fc2f142 100644 --- a/build.xml +++ b/build.xml @@ -4,7 +4,7 @@ - + diff --git a/src/cors/index.html b/src/cors/index.html index fe5b2611..f904e728 100644 --- a/src/cors/index.html +++ b/src/cors/index.html @@ -59,7 +59,7 @@ // this file is by default set up to use Access Control - this means that it will use the headers set by the server to decide whether or not to allow the call to return var useAccessControl = true; // always trusted origins, can be exact strings or regular expressions - var alwaysTrustedOrigins = [(/\.?easyxdm\.net/), (/xdm1/)]; + var alwaysTrustedOrigins = ["https://consumer.easyxdm.net"]; // instantiate a new easyXDM object which will handle the request var remote = new easyXDM.Rpc({