CORS header should not validate invalid domains

Question

CORS header should not validate invalid domains

Closed this issue 9 years ago · 1 comments

The current CORS mechanism accepts any Origin header and returns it in the response to make valid cross domain requests from the API. Instead of that, it should validate agains a proper URL regex that checks if the origin is valid.

Answer 1 · 2015-04-01T15:49:13.000Z

A valid regex to check against would be:

^(https?:\/\/)?([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?$