CORS should be disabled by default

Description

CORS is not necessary for ReST access by the mobile client, it should only be enabled by site administrators who know what they're doing. Right now it's enabled in all cases, but it could expose us to various cross-site-scripting attacks.

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Benjamin Reed March 30, 2015 at 4:56 PM

Fixed in foundation, cherry-picked to 15.0.2.

Fixed

Details

Assignee

Benjamin Reed

Reporter

Benjamin Reed

Components

Fix versions

Meridian-2015.1.0

15.0.2

Affects versions

15.0.1

Priority

Blocker

PagerDuty

Created March 30, 2015 at 4:47 PM

Updated March 30, 2015 at 8:55 PM

Resolved March 30, 2015 at 4:56 PM

Configure