# Gavin Andresen
# 2011-01-11 12:53:33
# https://bitcointalk.org/index.php?topic=2672.msg37207#msg37207

davout said (at the github pull request): @p{par}


@s{quotedtext}
@s{quotedtext}
 @p{brk}
If you've opened up access to the rpcport, then I don't think CORS support adds any significant vulnerability to password brute-forcing.  I suppose it means a 10-year-old non-programmer can repeatedly enter a username and password into a website to try to brute-force your rpcpassword... but anybody capable of writing or running a script could just write a brute-forcer that doesn't run in a browser. @p{par}

And, come to think of it, turning on CORS explicitly wouldn't stop the ten-year-old, either: they could just repeatedly browse to URL  @s{(link)} and try different usernames/passwords. @p{par}

Also, bitcoind already has anti-brute-forcing code. @p{par}

The only security vulnerability I could imagine with CORS is that it might encourage people to add: @p{brk}
  rpcallowip=* @p{brk}
... to their bitcoin.conf, so they can connect to bitcoin from any IP address.  And I worry that they might not bother to setup SSL, in which case their rpc username/password will be sent across the net in the clear. @p{brk}