OAuth2 token CORS conflicts with global CORS

Question

OAuth2 token CORS conflicts with global CORS

Opened this issue 2 years ago · 0 comments

The OAuth2 token endpoint has a completely open CORS rules. There's enough security here using other mechanisms that there's no risk here.

Other endpoints by default have no CORS rules, but this can be turned on with the cors.allowOrigin database setting. When this is on, it overrides the OAuth2 cors rules and token gets the same restriction as cors.allowOrigin. Im not sure if this is what we want.