this post was submitted on 04 Jul 2023
5 points (100.0% liked)
Web Development
3441 readers
17 users here now
Welcome to the web development community! This is a place to post, discuss, get help about, etc. anything related to web development
What is web development?
Web development is the process of creating websites or web applications
Rules/Guidelines
- Follow the programming.dev site rules
- Keep content related to web development
- If what you're posting relates to one of the related communities, crosspost it into there to help them grow
- If youre posting an article older than two years put the year it was made in brackets after the title
Related Communities
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
Wormhole
Some webdev blogs
Not sure what to post in here? Want some web development related things to read?
Heres a couple blogs that have web development related content
- https://frontendfoc.us/ - [RSS]
- https://wesbos.com/blog
- https://davidwalsh.name/ - [RSS]
- https://www.nngroup.com/articles/
- https://sia.codes/posts/ - [RSS]
- https://www.smashingmagazine.com/ - [RSS]
- https://www.bennadel.com/ - [RSS]
- https://web.dev/ - [RSS]
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
curl doesn't care about CORS, CORS is a browser implementation.
For CORS to work the url should be returning a header of
access-control-allow-origin : *
(or an header specific to the origin)It seems like they are working on it: https://github.com/LemmyNet/lemmy/pull/3421
yes but OP still can't do anything on the client side, it should be configured on the server
So I'll have to wait for this PR to be merged. I think they will do it soon because it provides more positive value that negative at this moment
I don't know if the PR is going to solve it though.
If I'm looking at the file changed: https://github.com/LemmyNet/lemmy/pull/3421/files
It seems like the "Lemmy Instance Owner" would have to set an environment variable of "
LEMMY_CORS_ORIGIN
" - and if there's no variable set it defaults back to:I don't know if instances are going to "allow *"
I haven't found
.allow_any_origin()
in source (query), but isn't it sorta equivalent toAccess-Control-Allow-Origin: *
? Or I'm misinterpreting somethingEdit: from the author of PR:
Setting it to
*
will prevent the browser from including credentials in the request (cookies). Dynamically setting it to the origin of the requesting client effectively does the same but also allows for using credentials.I don't think it would be a very good implementation to just let any site dynamically request to be allowed by CORS, including with credentials... A malicious site could do way too many things on the users behave
A possible solution would be something like how reddit or github do it - have the user first accept an "Allow third party app / website to access my account" - and after that, add those sites to the
Access-Control-Allow-Origin
What are the exact attack vectors you're thinking of?
Well I'm not expert on CORS, nor with the Lemmy API, so it's probably better to read about CORS exploits in more detailed articles.. https://www.freecodecamp.org/news/exploiting-cors-guide-to-pentesting/ for example
It seems Lemmy is storing a JWT in the cookiejar, so with
Access-Control-Allow-Credentials:true
and the domain inAccess-Control-Allow-Origin
a site should be able to do authenticated get requests on a users behave with the JWT, and access personal data.The "GET https://programming.dev/api/v3/private_message/" endpoint for example, would let someone read the private messages someone has send/received
I'm not sure whether someone could do POST requests and add credentials from the cookiejar this way though