\Drupal\acquia_contenthub_subscriber\EventSubscriber\ContentHubSubscriberEvent's sole purpose is to enable CORS support (and the class name should probably give that away, but it does not).

Specifically this line: $response->headers->set('Access-Control-Allow-Origin', '*');… that effectively allows any origin to request this.

I'd look into https://www.drupal.org/node/2715637.

Comments

Wim Leers created an issue. See original summary.

Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers at Acquia commented
Issue tags: +Needs tests

Also, there's no test coverage for this at all. Anything that is security-sensitive should have test coverage.

Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers at Acquia commented
Title: Hardcoded CORS support looks buggy » CORS support looks buggy, is applied to all Drupal responses, has no test coverage
Priority: Normal » Major

Worse, this is running for all responses…

scor’s picture

scor CreditAttribution: scor as a volunteer commented
Status: Active » Needs work

We had it baked in the module originally when we were working on the ember app using the ember server, but since we ship the ember app in the module, we no longer need CORS. We are planning to remove it. Tracking this internally in CHMS-1004.

scor’s picture

scor CreditAttribution: scor as a volunteer commented
Status: Needs work » Fixed

As promised, we've removed CORS support in 8.x-1.0

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.