PSA: It's safe to put "Access-Control-Allow-Origin: *" on any response, *unless* that response's data is 'secured' by something other than cookies, basic auth, or TLS client certificates.
Prikaži ovu nit
-
Exception: Content that's 'protected' by being on an internal network. Eg intranets, iot devices, local servers (although these should all be secured another way).
Prikaži ovu nit
These are exceptions because they would allow an attacker who was outside the internal network, or didn't have the correct IP, to use an 'inside' user as a proxy.
-
-
Is there any good use case for a website on a non private network to access resources on a private/local ip? Feels like that should be baked I to the browsers security model...
-
I think there are cases where is hard to detect those
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.