Document domains that can access login status

[nichtich]

The start page and endpoint /about should inform about applications hosted at which domains (e.g. coli-conc.gbv.de, *.gbv.de...) can access the login status and user identities once the user is logged in. This is not configured via ALLOWED_ORIGINS isn't it?

[stefandesu]

Basically, this is configured via ALLOWED_ORIGINS. Those are all domains that are allowed via CORS (the domain of the base URL is added in code), and if the browser has third-party cookies enabled, those domains can use the user's session to get login status and user identities. But there are two caveats:

1. If third-party cookies are disabled in the browser (default on Safari, not default on Firefox/Chrome), only same origin domains (compared to the base URL) can access the user's session.

2. If the browser ignores CORS (i.e. if the user configured the browser not to use CORS), AND third-party cookies are enabled, then it can access the user's session from any site (nothing we can do about that).

Which property should we use to add this information to /about?

[stefandesu]

I added it as "allowedDomains". Feel free to change it: https://github.com/gbv/login-server/blob/master/utils/index.js#L43