CORS header should not validate invalid domains
Closed this issue · 1 comments
oscarcp commented
The current CORS mechanism accepts any Origin
header and returns it in the response to make valid cross domain requests from the API. Instead of that, it should validate agains a proper URL regex that checks if the origin is valid.
oscarcp commented
A valid regex to check against would be:
^(https?:\/\/)?([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?$