Issues » Permissive CORS Policy

Issue: SI-50
Date: Jan 24, 2019 9:15:00 AM
Severity: Low
Requires Admin Access: Yes
Fix Version: TBD
Credit: Johannes Moritz - RIPS TECHNOLOGIES GMBH
Description:

dotCMS currently returns a “Access-Control-Allow-Origin” header with a value of "*".  This means that the default  is to share any public content on this server.  While this is a browser enforced security measure, it can be desirable to prevent other sites from linking to content on your site as if it is their own content.

Status can be tracked here: https://github.com/dotCMS/core/issues/15862

Workaround:

Custom static plugin to override code that sets header value.

Issues

https://en.wikipedia.org/wiki/Cross-origin_resource_sharing