[asterisk-bugs] [JIRA] (ASTERISK-21285) stasis-http Cross-Origin configuration
Matt Jordan (JIRA)
noreply at issues.asterisk.org
Fri Mar 15 14:38:02 CDT 2013
Matt Jordan created ASTERISK-21285:
--------------------------------------
Summary: stasis-http Cross-Origin configuration
Key: ASTERISK-21285
URL: https://issues.asterisk.org/jira/browse/ASTERISK-21285
Project: Asterisk
Issue Type: New Feature
Security Level: None
Components: Core/Stasis, Resources/res_stasis_http
Reporter: David M. Lee
{{stasis-http}} currently does not check the Origin header of any requests, which could open the API up for cross-site scripting hacks.
The user should be allowed to configure a list of allowed Origin's (which could be set to {{*}} to allow all). There are a list of TODO's in {{process_cors_request()}} and {{handle_options()}} for what to do to complete fulfilling this section of [the CORS spec|http://www.w3.org/TR/cors/].
The sample config should be something like this:
{code:none}
[general]
;allowed_origins = ; Comma separated list of allowed origins, for
; ; Cross-Origin Resource Sharing. May be set to * to allow
; ; all origins.
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list