Browse Source

Allow cross-origin requests to /.well-known/* URLs. (#9083)

Right now, this includes three endpoints: host-meta, webfinger, and change-password.

host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser.

change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled.

The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.
pull/4/head
Ben Lubar 6 years ago
committed by Eugen Rochko
parent
commit
13e049d772
1 changed files with 4 additions and 0 deletions
  1. +4
    -0
      config/initializers/cors.rb

+ 4
- 0
config/initializers/cors.rb View File

@ -9,6 +9,10 @@ Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '/.well-known/*',
headers: :any,
methods: [:get],
credentials: false
resource '/@:username',
headers: :any,
methods: [:get],

Loading…
Cancel
Save