about summary refs log tree commit diff
path: root/Gemfile
diff options
context:
space:
mode:
authorBen Lubar <ben.lubar+github@gmail.com>2018-10-24 20:13:35 -0500
committerEugen Rochko <eugen@zeonfederated.com>2018-10-25 03:13:35 +0200
commit13e049d7729425ade92a6800357bfd6224a722b8 (patch)
tree13cccc92f4f514a4c228ff49d7e613907dad08c5 /Gemfile
parent4ea718ef18c2171edf8ed0089fd0d28bdfb78ba1 (diff)
Allow cross-origin requests to /.well-known/* URLs. (#9083)
Right now, this includes three endpoints: host-meta, webfinger, and change-password.

host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser.

change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled.

The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.
Diffstat (limited to 'Gemfile')
0 files changed, 0 insertions, 0 deletions