From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mail.toke.dk; spf=pass (mailfrom) smtp.mailfrom=irif.fr (client-ip=2001:660:3301:8000::1:2; helo=korolev.univ-paris7.fr; envelope-from=jch@irif.fr; receiver=) Authentication-Results: mail.toke.dk; dkim=pass (2048-bit key; unprotected) header.d=irif.fr header.i=@irif.fr header.a=rsa-sha256 header.s=dkim-irif header.b=Z00+yV88 Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) by mail.toke.dk (Postfix) with ESMTPS id 41492A95190 for ; Mon, 04 Nov 2024 11:25:11 +0100 (CET) Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 4A4AP2A4017428; Mon, 4 Nov 2024 11:25:02 +0100 Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 12BC740E58; Mon, 4 Nov 2024 11:25:01 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=irif.fr; h= content-type:content-type:mime-version:user-agent:references :in-reply-to:subject:subject:from:from:message-id:date:date :received:received; s=dkim-irif; t=1730715901; x=1731579902; bh= 0513IUcRNFnOd8l2HtS20z+pKfrifFS092Nj7CNbL2g=; b=Z00+yV88Q/5G0W3I 3GGZepwUYzT8i60VxJY3OWVJnXKN3tVe1yNgz+FP2AL2oEcXMMomWJ3CCWkxniVo f9nD+ppPzpwXN1HEMu49wPGRS9rU32fJ3DJjM93PL5Z15cIGHFI2RS/Qwa7lWF1R JAisoXXJiiCuGMuw5G9EVNk+NAyG7SdUQfFVMa8z6tBZHohKFND46Rp/A3VIa31Z 8NvY/sAAhgf1/HRWJzTlJxYIAZ0oLeO9BGK0/zO6ZWhYo9x/3gSZW5r+R8xGnYlQ UH6KAzN86ZozPDySeP07ACDQGg3tjYniSL8Hai/c9cy9HonlqnMF8XdHeQ/Xb8Sz BhwrUA== X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id 3sSpG17FEEy0; Mon, 4 Nov 2024 11:25:01 +0100 (CET) Received: from pirx.irif.fr (89-64-68-167.dynamic.chello.pl [89.64.68.167]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 83C2241014; Mon, 4 Nov 2024 11:25:00 +0100 (CET) Date: Mon, 04 Nov 2024 11:24:59 +0100 Message-ID: <87jzdjqosk.wl-jch@irif.fr> From: Juliusz Chroboczek To: Alexandre IOOSS In-Reply-To: <14af8f37-90d0-4e37-a244-3e0b8ddaee8e@crans.org> References: <878qu0u1yx.wl-jch@irif.fr> <14af8f37-90d0-4e37-a244-3e0b8ddaee8e@crans.org> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/29.4 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Mon, 04 Nov 2024 11:25:02 +0100 (CET) X-Miltered: at korolev with ID 6728A0FE.001 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-j-chkmail-Enveloppe: 6728A0FE.001 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/ X-j-chkmail-Score: MSGID : 6728A0FE.001 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000 X-j-chkmail-Status: Ham Message-ID-Hash: TWTPBHSCZRWXPA7PBEPOVCNNMPJL625D X-Message-ID-Hash: TWTPBHSCZRWXPA7PBEPOVCNNMPJL625D X-MailFrom: jch@irif.fr X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: galene@lists.galene.org X-Mailman-Version: 3.3.10 Precedence: list Subject: [Galene] Re: CORS help needed List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: > In such scenario, if an attacker manage to get XSS on the custom frontend > (for example through a badly implemented chat box), I clearly don't want > them to be able to request the administrative endpoint. So having separate > directives is a safer choice. Okay, you've convinced me. What's the right syntax? A list of strings, the server finds the first origin that matches and dynamically generates a header for that specific origin? -- Juliusz