On 2024-11-03, Juliusz Chroboczek wrote:
> Currently, Galene has a very primitive CORS configuration: either
> publicServer is not set in the config file, in which case no CORS headers
> are produced, or publicServer is set, in which case CORS headers allow
> unrestricted access

Because of required access to /public-group.json and /groups/groupname, your bundled clients are only functional because they live on the same domain as your server.

I guess one could argue that administrative requests should only be allowed from a browser using these bundled example clients. Maybe all third party client implementations should need to access "admin" APIs from a site-generating server. (And thus, no CORS needed, and lessened XSS vulnerability.)

So drawing a line between browser accessible API calls needing CORS, and those you'd prefer to be accessible only from server would definitely be useful.

I'm just learning about Galene details. What are administrative interactions vs user interactions?

Questions:
1. For instance, will third party clients often want CORS access to data like /public-groups.json?

2. Couldn't XSS allow for nefarious websocket listening and response? Does the signaling protocol not also contain "administrative" possibilities?

Thank you,
Marty