Exception: Content that's 'protected' by the requester's IP. Eg geo-locked data, or extra debug data that might appear if the request is from an 'internal' IP.
Prikaži ovu nit
PSA: It's safe to put "Access-Control-Allow-Origin: *" on any response, *unless* that response's data is 'secured' by something other than cookies, basic auth, or TLS client certificates.
-
-
-
Exception: Content that's 'protected' by being on an internal network. Eg intranets, iot devices, local servers (although these should all be secured another way).
Prikaži ovu nit -
These are exceptions because they would allow an attacker who was outside the internal network, or didn't have the correct IP, to use an 'inside' user as a proxy.
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
Probably good to explain "why" here. This is counterintuitive and confusing without knowing the little "special case" of credentialed cors and wildcard.
-
Fair point! Does this work:https://twitter.com/jaffathecake/status/1222082160405905408 …
- Još 4 druga odgovora
Novi razgovor -
-
-
since proxying exists, isn't it safe to say that any token that the client has it can send to the proxy and get around CORS that way? so even if it's not safe, it's no less safe?
-
Right, but it isn't simple for one origin to get a user's cookies for another origin. That requires the cooperation of the other origin.
- Još 15 drugih odgovora
Novi razgovor -
-
-
Or 'secured' by being IP/firewall restricted. Open CORS allows for jumping the firewall via phishing
- Još 2 druga odgovora
Novi razgovor -
-
-
The two layers of negations in your PSA make it a bit confusing. "You're safe to use Access-Control-Allow-Origin: * if you use: cookies, basic Auth, or TLS certificates." Is that right?
-
Do the follow-up tweets make it clear?
- Još 2 druga odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.