CORS requests against OIDC

Liam Hoekenga liamr at
Wed May 15 21:10:16 EDT 2019

On Wed, May 15, 2019 at 5:27 PM Cantor, Scott <cantor.2 at> wrote:

> > Does that seem reasonable?
> I'm a bad choice to comment, but my feeling is that opening up any IdP
> path to CORS essentially guarantees malware exfiltration of sessions. This
> is either decently mitigated by network bound sessions or not, based on how
> hard you think client IP spoofing is.

It is basically implementing what's described at
The SAML endpoints would suffer from the same vulnerable, right?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list