From: Marty Betz <martybetz@gmail.com>
To: galene@lists.galene.org
Subject: [Galene] Re: CORS help needed
Date: Sun, 3 Nov 2024 10:21:16 -0800 [thread overview]
Message-ID: <CAK0PynfytEiJJL3c9Y7rCzuukWPDqwSGFTYD5Nj8kR5Yu5VA5w@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1279 bytes --]
On 2024-11-03, Juliusz Chroboczek wrote:
> Currently, Galene has a very primitive CORS configuration: either
> publicServer is not set in the config file, in which case no CORS headers
> are produced, or publicServer is set, in which case CORS headers allow
> unrestricted access
Because of required access to /public-group.json and /groups/groupname,
your bundled clients are only functional because they live on the same
domain as your server.
I guess one could argue that administrative requests should only be allowed
from a browser using these bundled example clients. Maybe all third party
client implementations should need to access "admin" APIs from a
site-generating server. (And thus, no CORS needed, and lessened XSS
vulnerability.)
So drawing a line between browser accessible API calls needing CORS, and
those you'd prefer to be accessible only from server would definitely be
useful.
I'm just learning about Galene details. What are administrative
interactions vs user interactions?
Questions:
1. For instance, will third party clients often want CORS access to data
like /public-groups.json?
2. Couldn't XSS allow for nefarious websocket listening and response? Does
the signaling protocol not also contain "administrative" possibilities?
Thank you,
Marty
[-- Attachment #2: Type: text/html, Size: 1410 bytes --]
next reply other threads:[~2024-11-03 18:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-03 18:21 Marty Betz [this message]
2024-11-03 19:43 ` Juliusz Chroboczek
-- strict thread matches above, loose matches on Subject: below --
2024-11-03 8:59 [Galene] " Juliusz Chroboczek
2024-11-03 13:05 ` [Galene] " Alexandre IOOSS
2024-11-04 10:24 ` Juliusz Chroboczek
2024-11-04 10:41 ` Alexandre IOOSS
2024-11-04 11:52 ` Juliusz Chroboczek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAK0PynfytEiJJL3c9Y7rCzuukWPDqwSGFTYD5Nj8kR5Yu5VA5w@mail.gmail.com \
--to=martybetz@gmail.com \
--cc=galene@lists.galene.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox