[asterisk-bugs] [JIRA] (ASTERISK-21285) stasis-http Cross-Origin configuration

Matt Jordan (JIRA) noreply at issues.asterisk.org
Fri Mar 15 14:38:02 CDT 2013


Matt Jordan created ASTERISK-21285:
--------------------------------------

             Summary: stasis-http Cross-Origin configuration
                 Key: ASTERISK-21285
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-21285
             Project: Asterisk
          Issue Type: New Feature
      Security Level: None
          Components: Core/Stasis, Resources/res_stasis_http
            Reporter: David M. Lee


{{stasis-http}} currently does not check the Origin header of any requests, which could open the API up for cross-site scripting hacks.

The user should be allowed to configure a list of allowed Origin's (which could be set to {{*}} to allow all). There are a list of TODO's in  {{process_cors_request()}} and {{handle_options()}} for what to do to complete fulfilling this section of [the CORS spec|http://www.w3.org/TR/cors/].

The sample config should be something like this:
{code:none}
[general]
;allowed_origins = 	; Comma separated list of allowed origins, for
;		 	; Cross-Origin Resource Sharing. May be set to * to allow
;			; all origins.
{code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira



More information about the asterisk-bugs mailing list