Send Authorization header only for same-origin requests (!925) · Merge requests · Particify / Software Development / FOSS / ARSnova Web Client

Daniel Gerhardt requested to merge send-auth-header-only-for-same-origin into master Feb 23, 2021

Requests to different origins could have leaked the users credentials. But for now the client did only perform same-origin requests, so this behavior did not cause any security issues.

Furthermore, the previous behavior could lead to failing requests if the target did handle the header.

Edited Feb 23, 2021 by Daniel Gerhardt

Send Authorization header only for same-origin requests

Merge request reports