Issues » Permissive CORS Policy

Issue: SI-50
Date: Jan 24, 2019, 4:15:00 AM
Severity: Low
Requires Admin Access: Yes
Fix Version: TBD
Credit: Johannes Moritz - RIPS TECHNOLOGIES GMBH
Description:

dotCMS currently returns a “Access-Control-Allow-Origin” header with a value of "*".  This means that the default  is to share any public content on this server.  While this is a browser enforced security measure, it can be desirable to prevent other sites from linking to content on your site as if it is their own content.

Status can be tracked here: https://github.com/dotCMS/core/issues/15862

Mitigation:

Custom static plugin to override code that sets header value.

References

https://en.wikipedia.org/wiki/Cross-origin_resource_sharing