Reconfigurable CORS middleware with jub0bs/cors

from blog Posts on jub0bs.com, | ↗ original
TL;DR ¶ In this short follow-up to my previous post, I describe why and how I’ve added support for dynamic reconfiguration of CORS middleware in jub0bs/cors. Rethinking configuration immutability ¶ Up until now, I’ve been arguing that CORS middleware should not be reconfigurable on the fly and that any change to their configuration should require...
This is a short summary. ↗ Open original to view full content

Related

CORS is Stupid
Kevin Cox's Blog | original ↗
Just enough CORS to not get stuck
meain/blog | original ↗
Crossing the CORS crossroad
Redowan's Reflections | original ↗
Why RESP3 will be the only protocol supported by Redis 6
antirez | original ↗
Building a CORS proxy with Cloudflare Workers
Redowan's Reflections | original ↗
What is CORS? 5-minute explanation
Mensur Duraković | original ↗
Understanding The Web Security Model, Part IV: Cross-Origin Resource Sharing (CORS)
Educated Guesswork | original ↗
Patching over Backblaze's B2 lack of CORS
Mumbling about computers | original ↗
Configuration
Casey Rodarmor's Blog | original ↗
An update about Redis developments in 2019
antirez | original ↗

More from Posts on jub0bs.com

A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF...
5 May 2023 | original ↗

TL;DR ¶ A few months ago, while hunting on a public bug-bounty programme, I found a nice little bug chain that involved an insecure message event listener, a shoddy JSONP endpoint, a WAF bypass, DOM-based XSS on an out-of-scope subdomain, a permissive CORS configuration, all to achieve CSRF against an in-scope asset. Read on for a deep dive about...

Existence oracle for Secure cookies on insecure Web origins
12 Sept 2022 | original ↗

TL;DR ¶ In this post, I present an XSLeak technique that allows an active network attacker to observe, from an insecure Web origin, the presence or absence of some Secure cookie that may have been set by the origin’s secure counterpart. Cookies’ crumbly beginnings ¶ Netscape (Lou Montulli, more precisely) invented cookies in 1994 in order to...

Scraping the bottom of the CORS barrel (part 1)
4 Aug 2022 | original ↗

James Kettle’s 2016 research was instrumental in raising awareness of the deleterious effects of CORS (Cross-Origin Resource Sharing) misconfiguration on Web security. Does the story end there, though? Is writing about CORS-related security issues in 2022 futile? I don’t think so. This post is the first in a series in which I will discuss more...

Subdomain takeover: ignore this vulnerability at your peril
12 Feb 2021 | original ↗

My third guest post on Honeybadger’s blog, entitled Subdomain Takeover: Ignore This Vulnerability at Your Peril has just been published!

The great SameSite confusion
29 Jan 2021 | original ↗

In this post, I dissect a common misconception about the SameSite cookie attribute and I explore its potential impact on Web security. TL;DR ¶ The SameSite cookie attribute is not well understood. Conflating site and origin is a common but harmful mistake. The concept of site is more difficult to apprehend than meets the eye. Some requests are...