CVE-2022-21703: cross-origin request forgery against Grafana

TL;DR ¶ jub0bs/cors v0.5.0 now lets you handle CORS-configuration errors programmatically. This feature should be of interest to you if you’re a multi-tenant service provider and you let your tenants configure CORS for their instances. jub0bs/cors’s commitment to configuration validation ¶ One long-standing and distinguishing feature of...

TL;DR ¶ In this short follow-up to my previous post, I describe why and how I’ve added support for dynamic reconfiguration of CORS middleware in jub0bs/cors. Rethinking configuration immutability ¶ Up until now, I’ve been arguing that CORS middleware should not be reconfigurable on the fly and that any change to their configuration should require...

TL;DR ¶ I’ve just released jub0bs/cors, a new CORS middleware library for Go, perhaps the best one yet. It has some advantages over the more popular rs/cors library, including a simpler API, better documentation, extensive configuration validation, a useful debug mode, stronger performance guarantees. Here is a representative example of client...

TL;DR ¶ A few months ago, while hunting on a public bug-bounty programme, I found a nice little bug chain that involved an insecure message event listener, a shoddy JSONP endpoint, a WAF bypass, DOM-based XSS on an out-of-scope subdomain, a permissive CORS configuration, all to achieve CSRF against an in-scope asset. Read on for a deep dive about...

TL;DR ¶ In this post, I investigate why developers struggle with CORS and I derive Fearless CORS, a design philosophy for better CORS middleware libraries, which comprises the following twelve principles: Optimise for readability Strive for a simple and cohesive API Provide support for Private Network Access Categorise requests correctly Validate...