Ignore CORS about crumb HOT 12 CLOSED

Crumb protection is not being skipped when CORS is turned on. The crumb cookie will only be set for domains listed in the allowOrigins setting, but crumb protection will still be enabled for all requests. The whole purpose of the security fix was to not leak the crumb token to unauthorized Cross Origin requests.
If crumb is not currently behaving like this, it is a bug.
Will verify today.

from crumb.

We might need to expose the Origin match utility in hapi then to do this properly.

from crumb.

Does it just not set the cookie or also doesn't validate the form if no cookie is set?

from crumb.

@hueniverse if a CORS request is from an unknown Origin, the generate function isn't called and a cookie isn't returned.
That is the only code affected by CORS
Where is the Origin match utility in HAPI? I would be happy to integrate that

from crumb.

Can you explain this to me: https://github.com/hapijs/crumb/blob/master/lib/index.js#L203-L206

It makes no sense. You are comparing the incoming host header to the connection host. The way you are testing it is based on the old shot module behavior where it didn't set the host header properly. I upgraded to hapi 11 and half the tests broke.

from crumb.

In hapi v12 you should use request.info.cors.isOriginMatch exclusively without using any of the custom config stuff you have in crumb right now. IOW, we need a new major version of crumb for hapi v12.

from crumb.

Ok will do. Thanks for exposing that
On Jan 2, 2016 2:23 PM, "Eran Hammer" [email protected] wrote:

In hapi v12 you should use request.info.cors.isOriginMatch exclusively
without using any of the custom config stuff you have in crumb right now.
IOW, we need a new major version of crumb for hapi v12.

—
Reply to this email directly or view it on GitHub
#61 (comment).

from crumb.

Using request.info.cors.isOriginMatch alone won't allow a route to set the crumb for a CORS client and same-origin client (ie server rendered page)
That was what the extra logic had been for. Set crumb if it's a same-origin request OR an allowed CORS origin.
Maybe we don't support that, but it had been a request that came in an issue.

from crumb.

What does it mean "same origin request"? This line: https://github.com/hapijs/crumb/blob/master/lib/index.js#L203-L206 makes no sense as described above. Upgrade the tests to hapi v12 and see what happens.

from crumb.

I have already upgraded and tested locally (hapi12) branch.
Sorry for not explaining well. What I'm trying to describe is an edge case and probably not worth supporting.
Should be able to PR the update later today

from crumb.

6.0.0 release addresses this

from crumb.

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

from crumb.