search

FinalsClub / karmaworld

KarmaNotes.org v3.0
GNU Affero General Public License v3.0
7 stars 6 forks source link

PDF controls don't work when note iframe comes from S3 #287

Closed charlesconnell closed 10 years ago

charlesconnell commented 10 years ago

In connection with this ticket, I have set the CORS settings on our relevant S3 buckets to:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
    </CORSRule>
</CORSConfiguration>

This can be seen in the bucket settings, under Permissions / Edit CORS Configuration

btbonval commented 10 years ago

Oh it was cross site scripting that caused the problem. CORS is the right fix, but I think we want to be explicit about the domains.

We are already being targeted by random spam bots. Real spam users are likely to follow. We want to make sure security is in order. On Jan 20, 2014 7:55 PM, "Charles Connell" notifications@github.com wrote:

In connection with this ticket, I have set the CORS settings on our relevant S3 buckets to:

<?xml version="1.0" encoding="UTF-8"?>

* GET

This can be seen in the bucket settings, under Permissions / Edit CORS Configuration

— Reply to this email directly or view it on GitHubhttps://github.com/FinalsClub/karmaworld/issues/287#issuecomment-32812062 .

charlesconnell commented 10 years ago

I don't see any harm in allowing GET requests from any domain. Is there? Working on beta now.

btbonval commented 10 years ago

If its only GET requests, then it's fine.

On Thu, Jan 23, 2014 at 10:53 AM, Charles Connell notifications@github.comwrote:

I don't see any harm in allowing GET requests from any domain. Is there? Working on beta now.

— Reply to this email directly or view it on GitHubhttps://github.com/FinalsClub/karmaworld/issues/287#issuecomment-33135936 .