Open ttaylor-st opened 1 month ago
@previnder sorry for the mention, someone else has asked about CORS on Discuit, do you know if/when this'll be merged?
Okay, tested this a bunch. There is a problem with allowing credentialed cross-site requests, in that it allows for CSRF requests to go through. Right now, it doesn't matter either way because the SID
cookie is set with SameSite=Lax
, so it won't be sent over with cross-site requests. But if the SameSite
attribute was set to None
, it would allow any domain to forge requests.
Moreover, it doesn't seem like it's possible to allow just any domain to host a web-client of a site, with support for authenticated requests, without huge CSRF vulnerabilities.
Hey, what's the decision on this?
I'm working on a bot that is blocked by CORS requests on images. I personally don't need authenticated requests, but it would be helpful to be able to do basic get images.
Hey @mmStiver, I just added CORS headers for image file responses in b24bc66c. You should be good to go!
Closes #76
Everything should be working fine. I tested by replacing requests to
discuit.net/api/*
withlocalhost/api/*
in the official client at discuit.net and everything worked perfectly fine.