We're updating the issue view to help you get more done. 

Restrict Synapse backend CORS to allow subdomains of .synapse.org only

Description

SimpleCORSFilter currently sets Access-Control-Allow-Origin to any domain .

Suggest getting the header "origin", and only set Access-Control-Allow-Origin to '*' if it ends with ".synapse.org". Otherwise you could block (return something like "www.synapse.org").

This would block web client access being hosted outside the control of Sage Bionetworks (like a man-in-the-middle type attack, for example).

Environment

None

Status

Assignee

Unassigned

Reporter

Jay Hodgson

Labels

None

Validator

Bruce Hoff

Release Version History

None

Priority

Major