ADFS + CORS + Trusted Origin https://localhost a security problem?
maybe a simple question, maybe not. We struggle with an solution to allow our developers develop web applications with oauth pkcs auth flow against our idp/adfs (active directory federation services) on a local dev machine. Trusted Origin Wildcard is a bad idea is the reading all over the place, ok. So we think about to include in trusted origin localhost, which feels for me something like a wildcard. So the main question is, are there security implications with this solution? I think that we open some mitm technics the door but i am not entire sure while cors is mainly a client sec solution...
or in other words What would be a proper solution for local web developers to authenticate their stuff against our IdP/adfs with cors? Any suggestions? We thought about something like an alias or even include any web dev box (machinename) to the trusted origin or create a subdomain as an alternative.
