Hey infosec twitter. I have an API that's protected with bearer auth. No cookies anywhere. Can I 'Access-Control-Allow-Origin: *' safely?
And whitelisting is inconvenient in a lot of cases (JS caller in a local file, some test on the CI/CD system, etc.)
-
-
based on limited infos and characters^^: the whitelisting helps to know the origins, which are allowed to have a valid bearer token (eg xss)
-
That's the thing: the browser doesn't set the bearer token automatically. So why do I need to whitelist anything?
-
if you trust and know all domains which can have a bearer token you can do that of course (and never use cookies!).
-
then it is simply about one secret and using CORS do bypass the SOP
-
Thanks for confirmation!
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.