From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mail.toke.dk; spf=pass (mailfrom) smtp.mailfrom=irif.fr (client-ip=2001:660:3301:8000::1:2; helo=korolev.univ-paris7.fr; envelope-from=jch@irif.fr; receiver=) Authentication-Results: mail.toke.dk; dkim=pass (2048-bit key; unprotected) header.d=irif.fr header.i=@irif.fr header.a=rsa-sha256 header.s=dkim-irif header.b=rTB0vmP+ Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) by mail.toke.dk (Postfix) with ESMTPS id 82346A94E79 for ; Sun, 03 Nov 2024 09:59:53 +0100 (CET) Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 4A38xqSY021586 for ; Sun, 3 Nov 2024 09:59:52 +0100 Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 84EF02ED05 for ; Sun, 3 Nov 2024 09:59:52 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=irif.fr; h= content-type:content-type:mime-version:user-agent:subject :subject:from:from:message-id:date:date:received:received; s= dkim-irif; t=1730624391; x=1731488392; bh=CqaV0L3NNdXjkUS3WXVOxf tMcWmq+2bQGCXECdVK10M=; b=rTB0vmP+8n2y1HWotbL1EBh5QvcBQl+Zr1EVy5 tY8KOkzdNsGFG0McTK61RArb/6zCisTBCw1GSsIPqTmkxWu7Yog4EeMYtgzUxwWm wvdqLDbUjPKtbincgJjXScDDTORnuXef5QZvyc+2zq2k0/uXw5U11j6L4juowNhT pDzy0996Wxy29xB6koCgvbBzyU618w56P55Fg7T1Hjf4hkdnyEZuRIcxnaWF7vVb z6VB4sHJNl/k6eUKnquNIpLB8Zph/yR6R6tw3a2cMOpQC2SvtCycXMuRuGjOnT1s XvwyoThNJi03YbVpXZdvwgeYcBij6+hj+LwwCuauoaZE/WTA== X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id 0ynfUPN_tG27 for ; Sun, 3 Nov 2024 09:59:51 +0100 (CET) Received: from pirx.irif.fr (89-64-68-167.dynamic.chello.pl [89.64.68.167]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 2EF6D2EC14 for ; Sun, 3 Nov 2024 09:59:50 +0100 (CET) Date: Sun, 03 Nov 2024 09:59:50 +0100 Message-ID: <878qu0u1yx.wl-jch@irif.fr> From: Juliusz Chroboczek To: galene@lists.galene.org User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/29.4 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Sun, 03 Nov 2024 09:59:52 +0100 (CET) X-Miltered: at korolev with ID 67273B88.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-j-chkmail-Enveloppe: 67273B88.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/ X-j-chkmail-Score: MSGID : 67273B88.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000 X-j-chkmail-Status: Ham Message-ID-Hash: GCFMIRJRZ3EBWJKQCPJCK3LAHRCDTXWJ X-Message-ID-Hash: GCFMIRJRZ3EBWJKQCPJCK3LAHRCDTXWJ X-MailFrom: jch@irif.fr X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list Subject: [Galene] CORS help needed List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hello, The administrative interface currently doesn't provide any CORS headers. This means tha people cannot access it from third-party web sites, they need to either integrate their code into Galene or use native clients. This is https://github.com/jech/galene/issues/226 Currently, Galene has a very primitive CORS configuration: either publicServer is not set in the config file, in which case no CORS headers are produced, or publicServer is set, in which case CORS headers (and the equivalent for the WebSocket protocol) allow unrestricted access to both the native protocol and the WHIP ingress protocol. In either case, the administrative interface is not affected. Questions to the experts: - should we be allowing CORS on the administrative interface, or is it a security risk? - should we have a single directive to control CORS, or should there be separate directives for audio/video and for administration? - shold it be a single boolean, as right now, or should the user be able to specify a specific domain? My current understanding is: - we should allow CORS, but make it default to no; - we should have two distinct directives; - we shold allow specifying a domain, or even a small number of domains. Thanks for your help, -- Juliusz