Hello,
On 04.02.2019 20:41, Jonas Schäfer wrote:
On Sonntag, 3. Februar 2019 18:18:20 CET Tedd Sterr wrote:
PR #743 - XEP-0156: Add implementation notes suggesting CORS -
https://github.com/xsf/xeps/pull/743 Dave: +1 (doesn't actually recommend *
just uses it as an example, this is equivalent data DNS SRV/TXT records, so
I don't see a problem) Georg: [on-list] (CORS headers are a Security, and
just allowing * is probably a dumb idea) Jonas: [on-list] (because of what
Georg said)
Kev: +1
Link: +1
I don’t have the web knowledge or the motivation to write out a good paragraph
which handles this. As a workaround, I’d be fine if one simply deletes the
example and leave the rest as-is.
kind regards,
Jonas
Georg mentioned in Conversations MUC that he'd be happy with a warning
message.
I did a quick "git grep" but it seems XEPs do not use any stylistic
WARNING messages so I added a paragraph:
https://github.com/xsf/xeps/pull/743/files#diff-4fd958d9730d81a5ba1b395dba37039bR239
If someone has a better idea or wording I'd be glad to hear it and
incorporate it in the patch.
I was also pondering on a quick explanation on how browsers react but
I'm not sure if the text of a XEP is a right place to do it.
For interested parties:
"Access-Control-Allow-Origin: *" if set alone allows only "simple
requests" [0] - that is requests that look like <form> submissions, that
does include POST, but limited (multipart/form-data, no JSON) and it
does NOT allow sending credentials [1] (no cookies, client certs, or any
other ambient authority).
Actually "*" is a special value: using it as a header value completely
disables credentials and that can NOT be enabled even when
"Access-Control-Allow-Credentials: true" header is added [2].
Kind regards,
Wiktor
[0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Simple_requests
[1]:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Requests_with_credentials
[2]: "The string "*" cannot be used for a resource that supports
credentials." from: https://www.w3.org/TR/cors/#resource-requests
--
https://metacode.biz/@wiktor
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: [email protected]
_______________________________________________
