CORS requests against OIDC

Cantor, Scott cantor.2 at osu.edu
Wed May 15 18:27:12 EDT 2019


> Does that seem reasonable?

I'm a bad choice to comment, but my feeling is that opening up any IdP path to CORS essentially guarantees malware exfiltration of sessions. This is either decently mitigated by network bound sessions or not, based on how hard you think client IP spoofing is.

I also don't know how client storage is impacted by CORS, if at all, so that might be another mitigation.
 
-- Scott



More information about the users mailing list