[asterisk-bugs] [JIRA] (ASTERISK-21278) stasis-http Cross-Origin configuration

[Matt Jordan (JIRA)]

     [ https://issues.asterisk.org/jira/browse/ASTERISK-21278?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Jordan updated ASTERISK-21278:
-----------------------------------

    Status: Open  (was: Triage)
    
> stasis-http Cross-Origin configuration
> --------------------------------------
>
>                 Key: ASTERISK-21278
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-21278
>             Project: Asterisk
>          Issue Type: New Feature
>      Security Level: None
>          Components: Core/Stasis, Resources/res_stasis_http
>            Reporter: David M. Lee
>              Labels: Asterisk12
>
> {{stasis-http}} currently does not check the Origin header of any requests, which could open the API up for cross-site scripting hacks.
> The user should be allowed to configure a list of allowed Origin's (which could be set to {{*}} to allow all). There are a list of TODO's in  {{process_cors_request()}} and {{handle_options()}} for what to do to complete fulfilling this section of [the CORS spec|http://www.w3.org/TR/cors/].
> The sample config should be something like this:
> {code:none}
> [general]
> ;allowed_origins = 	; Comma separated list of allowed origins, for
> ;		 	; Cross-Origin Resource Sharing. May be set to * to allow
> ;			; all origins.
> {code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira