ttaylor-st
commented
3 weeks ago @previnder sorry for the mention, someone else has asked about CORS on Discuit, do you know if/when this'll be merged?
Open ttaylor-st opened 1 month ago
ttaylor-st
commented
3 weeks ago @previnder sorry for the mention, someone else has asked about CORS on Discuit, do you know if/when this'll be merged?
previnder
commented
3 weeks ago Okay, tested this a bunch. There is a problem with allowing credentialed cross-site requests, in that it allows for CSRF requests to go through. Right now, it doesn't matter either way because the SID cookie is set with SameSite=Lax, so it won't be sent over with cross-site requests. But if the SameSite attribute was set to None, it would allow any domain to forge requests.
Moreover, it doesn't seem like it's possible to allow just any domain to host a web-client of a site, with support for authenticated requests, without huge CSRF vulnerabilities.
mmStiver
commented
1 week ago Hey, what's the decision on this?
I'm working on a bot that is blocked by CORS requests on images. I personally don't need authenticated requests, but it would be helpful to be able to do basic get images.
previnder
commented
1 week ago Hey @mmStiver, I just added CORS headers for image file responses in b24bc66c. You should be good to go!
Closes #76
Everything should be working fine. I tested by replacing requests to
discuit.net/api/*withlocalhost/api/*in the official client at discuit.net and everything worked perfectly fine.