From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mail.toke.dk; spf=pass (mailfrom) smtp.mailfrom=crans.org (client-ip=185.230.79.39; helo=redisdead.crans.org; envelope-from=erdnaxe@crans.org; receiver=) Authentication-Results: mail.toke.dk; dkim=pass (4096-bit key; secure) header.d=crans.org header.i=@crans.org header.a=rsa-sha256 header.s=mail header.b=GknMc5F/ Received: from redisdead.crans.org (redisdead.crans.org [185.230.79.39]) by mail.toke.dk (Postfix) with ESMTPS id 62B41A951BD for ; Mon, 04 Nov 2024 11:41:24 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crans.org; s=mail; t=1730716883; bh=kjcZ555RUDFvgB1SycT5TwMKZtECAmw6PCcntoLLCPs=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=GknMc5F/48VE/irwhN//HSsxhl6+D2+4SOTmqIPclwo4Nov1LW6O0mAwfmYoivTzm 0+0HGMEhJ36K6faObd809PBl9O0Z5nBWeE1BJH8G6RumJeVCFweTYSIKyy9K1Gy6cP lcOzncwJFYbs4ypRRIeoM7IfKM1KW06dMBEtnClvbyRPMrU6NbUYn3DRe2uAk4CZLF yRqz+b9P1ofG4w6bLg96W9AdOgSFCEEmekJ2wGWzG0uJLEs7R0Xk6IEJYNDyRz/mZe 18vMsrbSJKIefeCjaeYROqP7trmNoMDJBW50ccytgNM0r84zc7mPf/nSQoh5+qfcQc dyXOqd0h+K44+7pvrJ8CzdgDyPMn3HZpJc4QBhTfISXKuGuwZRCHQMUi+65vRL34F9 TVFW94wSVY5LHpbq27ZO84+41VBoka7JUcZg9kh2VKswMhXWSOVHkHmDhbdtH29vNA 9V+qRP4X0hUx4/ewcMJuenVPiYCnodn509MDO1gRBZPLproyXsCW016J3ueFq7ISfz rWYpHMfqSM1CsgG+bPLihSxQ2WUWREO6SmZt2qCiAF4lbcHl19M8O8U/0wazKPcj/Q 7baFdiQcwma6Jm95ba1npTkaNsPyACVMxYiqUgXpqwwtckFOeLci4XR9LuhsA3+UEL W/sFtMIW2YWaKWwP+ghZ2bO8= Received: from [10.100.0.101] (carton.adh.crans.org [185.230.78.194]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by redisdead.crans.org (Postfix) with ESMTPSA id 693642B0; Mon, 4 Nov 2024 11:41:23 +0100 (CET) Message-ID: <9b09e612-05ec-4737-939d-7387789f6e56@crans.org> Date: Mon, 4 Nov 2024 11:41:22 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Juliusz Chroboczek References: <878qu0u1yx.wl-jch@irif.fr> <14af8f37-90d0-4e37-a244-3e0b8ddaee8e@crans.org> <87jzdjqosk.wl-jch@irif.fr> Content-Language: en-US From: Alexandre IOOSS Organization: Crans In-Reply-To: <87jzdjqosk.wl-jch@irif.fr> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Message-ID-Hash: 72IC36NEWKE7VJXVSYOITJWYEZIDUTM5 X-Message-ID-Hash: 72IC36NEWKE7VJXVSYOITJWYEZIDUTM5 X-MailFrom: erdnaxe@crans.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: galene@lists.galene.org X-Mailman-Version: 3.3.10 Precedence: list Subject: [Galene] Re: CORS help needed List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 11/4/24 11:24, Juliusz Chroboczek wrote: >> In such scenario, if an attacker manage to get XSS on the custom frontend >> (for example through a badly implemented chat box), I clearly don't want >> them to be able to request the administrative endpoint. So having separate >> directives is a safer choice. > > Okay, you've convinced me. What's the right syntax? A list of strings, > the server finds the first origin that matches and dynamically generates > a header for that specific origin? Why not. According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#directives there must be some server side code to find the matching origin. Be careful of WebSockets, if I recall correctly they don't have CORS headers. However, some Golang libraries implicitly add an origin check on WebSocket connection. See . Best, -- Alexandre