From: Alexandre IOOSS <erdnaxe@crans.org>
To: Juliusz Chroboczek <jch@irif.fr>, galene@lists.galene.org
Subject: [Galene] Re: CORS help needed
Date: Sun, 3 Nov 2024 14:05:24 +0100 [thread overview]
Message-ID: <14af8f37-90d0-4e37-a244-3e0b8ddaee8e@crans.org> (raw)
In-Reply-To: <878qu0u1yx.wl-jch@irif.fr>
Hello,
On 11/3/24 09:59, Juliusz Chroboczek wrote:
>
> - should we be allowing CORS on the administrative interface, or is it
> a security risk?
> <snip>
>
> - shold it be a single boolean, as right now, or should the user be able
> to specify a specific domain?
>
> My current understanding is:
>
> - we should allow CORS, but make it default to no;
>
> - we should have two distinct directives;
>
> - we shold allow specifying a domain, or even a small number of domains.
My two cents on the subject: we shouldn't motivate to set
'Access-Control-Allow-Origin: *' anywhere.
Users might set CORS to '*' to have a working setup, but might not
realize that now example.com can request their Galène instance (even if
Galène is hosted on a private network).
IMHO, a explicit configuration with a whitelist of allowed domain is a
much better solution compared to a boolean.
>> - should we have a single directive to control CORS, or should there be
>> separate directives for audio/video and for administration?
Let's consider a previous setup I had with Galène in some student
organization:
- Domain A hosts a modified Galène frontend.
- Domain B hosts a vanilla Galène server behind a NGINX reverse proxy.
- Domain B uses some NGINX directives to manually add a CORS header to
allow domain A to query Galène.
In such scenario, if an attacker manage to get XSS on the custom
frontend (for example through a badly implemented chat box), I clearly
don't want them to be able to request the administrative endpoint. So
having separate directives is a safer choice.
Best,
--
Alexandre
next prev parent reply other threads:[~2024-11-03 13:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-03 8:59 [Galene] " Juliusz Chroboczek
2024-11-03 13:05 ` Alexandre IOOSS [this message]
2024-11-04 10:24 ` [Galene] " Juliusz Chroboczek
2024-11-04 10:41 ` Alexandre IOOSS
2024-11-04 11:52 ` Juliusz Chroboczek
2024-11-03 18:21 Marty Betz
2024-11-03 19:43 ` Juliusz Chroboczek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=14af8f37-90d0-4e37-a244-3e0b8ddaee8e@crans.org \
--to=erdnaxe@crans.org \
--cc=galene@lists.galene.org \
--cc=jch@irif.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox