mastacontrola
commented
2 years ago You’re right. I don’t know anything and I don’t know why I tried. I don’t know. And I never claimed to know. Sorry for failing it all. I won’t try anymore.
Closed djohle closed 2 years ago
mastacontrola
commented
2 years ago You’re right. I don’t know anything and I don’t know why I tried. I don’t know. And I never claimed to know. Sorry for failing it all. I won’t try anymore.
djohle
commented
2 years ago Well that escalated quickly. I can't tell if that was sarcasm or just total defeatism.
In any case, I was going to submit a pull request to "fix" the issue, but not knowing the intention behind the original code I figured it would be best to bring it up for discussion first to ensure what I was thinking made sense. Also, it's just one-liner removal, so the pull request also seemed like a bit of unnecessary overhead for the task.
Sebastian-Roth
commented
2 years ago @djohle Thanks for bringing this up!
@mastacontrola Don't worry about this. You've done fabulous work on FOG. Nobody is perfect. I'll just remove it in dev-branch and working-1.6.
https://github.com/FOGProject/fogproject/blob/171d63724131c396029992730660497d48410842/packages/web/commons/base.inc.php#L37
To me this seems a bit insecure to hardcode the wildcard like this, despite the "more secure" comment a few lines above. I'm thinking that not even having a ACAO header at all would be more secure than this!
Is there even a use case where one needs to access the UI resources from another origin?