Closed BigBlueHat closed 1 year ago
It is completely safe to augment any resource with
Access-Control-Allow-Origin: *
as long as the resource is not part of an intranet (behind a firewall). In other words, a URL you can fetch from a server on the internet usingwget
orcurl
.
The above advice must be true for any manifest.json
file served to enable use of a credential handler.
Then why did they flip the default away from that when the implemented CORS? Is it truly just for the Intranet use case?
At any rate, happy to know we can just advise that easy change.
On Thu, Aug 24, 2023, 4:34 PM Dave Longley @.***> wrote:
The above advice must be true for any manifest.json file served to enable use of a credential handler.
— Reply to this email directly, view it on GitHub https://github.com/credential-handler/chapi.io/issues/36#issuecomment-1692370492, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAKRSPFVOPUSVKUL4EK6N3XW63HHANCNFSM6AAAAAA35RBTTM . You are receiving this because you authored the thread.Message ID: @.***>
Then why did they flip the default away from that when the implemented CORS?
Browsers won't know whether something is part of an intranet or not -- so the default is to rely entirely on the same origin policy. Therefore, servers must announce that it's ok for browsers to send cross origin requests (and they may say that those requests can originate from one or more other specific origins -- or come from any other origin *
).
At any rate, happy to know we can just advise that easy change.
+1, we should be able to just advise that easy change.
_Originally posted by @dlongley in https://github.com/credential-handler/chapi.io/pull/35#discussion_r1304774694_