CORS requests against OIDC
Liam Hoekenga
liamr at umich.edu
Wed May 15 21:10:16 EDT 2019
On Wed, May 15, 2019 at 5:27 PM Cantor, Scott <cantor.2 at osu.edu> wrote:
> > Does that seem reasonable?
>
> I'm a bad choice to comment, but my feeling is that opening up any IdP
> path to CORS essentially guarantees malware exfiltration of sessions. This
> is either decently mitigated by network bound sessions or not, based on how
> hard you think client IP spoofing is.
>
It is basically implementing what's described at
https://wiki.shibboleth.net/confluence/display/IDP30/Cross-origin+AJAX+requests+for+Shib-protected+resources
The SAML endpoints would suffer from the same vulnerable, right?
Liam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190515/c31fceaa/attachment.html>
More information about the users
mailing list