not sure if this is a serious question :D so a semi stupid answer: then don't allow the Authorization header via CORS
-
-
-
It's actually a serious question. And the answer of course doesn't help, because we need the auth header for auth.
-
sry then^^ difficult to tell as it highly depends how your bearer token is implemented. I assume whitelisting specific domains is no option?
-
Consider the bearer token to be nice and all. So why would I even want to whitelist, if I have a working protection mechanism for the API?
End of conversation
New conversation -
-
-
For a Real Solution™, list the allowed origins in the token and evaluate in an interceptor on the resource server. If Origin not listed, 403
-
There is no list of allowed origins.
End of conversation
New conversation -
-
-
*yawn* welcome to the topic, and they're too thick to understand cc vs rt vs author.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.