\Drupal\acquia_contenthub_subscriber\EventSubscriber\ContentHubSubscriberEvent
's sole purpose is to enable CORS support (and the class name should probably give that away, but it does not).
Specifically this line: $response->headers->set('Access-Control-Allow-Origin', '*');
… that effectively allows any origin to request this.
I'd look into https://www.drupal.org/node/2715637.
Comments
Comment #2
Wim LeersAlso, there's no test coverage for this at all. Anything that is security-sensitive should have test coverage.
Comment #3
Wim LeersWorse, this is running for all responses…
Comment #4
scor CreditAttribution: scor as a volunteer commentedWe had it baked in the module originally when we were working on the ember app using the ember server, but since we ship the ember app in the module, we no longer need CORS. We are planning to remove it. Tracking this internally in CHMS-1004.
Comment #5
scor CreditAttribution: scor as a volunteer commentedAs promised, we've removed CORS support in 8.x-1.0