Open joepio opened 1 year ago
Cross origin cookies can't be set from JavaScript by design (major security risico), from what I can see only subdomains are a possibility. Proxying images through your own server seems like an easy solution.
By far the simplest way to invalidate authentication is to set a minimum timestamp
and reject everything earlier. Though just adding an expiration is more robust.
Current implementation of cookie based auth #241 solves the most important issue (being able to view private images), but it still needs some improvements: