this post was submitted on 04 Jul 2023
5 points (100.0% liked)

Web Development

3441 readers
17 users here now

Welcome to the web development community! This is a place to post, discuss, get help about, etc. anything related to web development

What is web development?

Web development is the process of creating websites or web applications

Rules/Guidelines

Related Communities

Wormhole

Some webdev blogsNot sure what to post in here? Want some web development related things to read?

Heres a couple blogs that have web development related content

CreditsIcon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
 

Hello, I have a problem with CORS and I think this is right community to get help.

When I use this code:

import { LemmyHttp } from 'lemmy-js-client';
const client = new LemmyHttp('https://lemmy.ml');
const { posts } = await client.getPosts({
    limit: 10,
    page: 1
});

to get posts from lemmy.ml (using lemmy-js-client), I get:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://lemmy.ml/api/v3/post/list?limit=10&page=1. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 400.

I have tried to add header like this:

const client = new LemmyHttp('https://lemmy.ml', {
    headers: {
        'Access-Control-Allow-Origin': '*'
    }
});

but result is the same.

Can someone help me with this?

you are viewing a single comment's thread
view the rest of the comments
[–] data0 1 points 1 year ago (1 children)

Setting it to * will prevent the browser from including credentials in the request (cookies). Dynamically setting it to the origin of the requesting client effectively does the same but also allows for using credentials.

[–] RonSijm 1 points 1 year ago (1 children)

I don't think it would be a very good implementation to just let any site dynamically request to be allowed by CORS, including with credentials... A malicious site could do way too many things on the users behave

A possible solution would be something like how reddit or github do it - have the user first accept an "Allow third party app / website to access my account" - and after that, add those sites to the Access-Control-Allow-Origin

[–] data0 1 points 1 year ago (1 children)

What are the exact attack vectors you're thinking of?

[–] RonSijm 1 points 1 year ago

Well I'm not expert on CORS, nor with the Lemmy API, so it's probably better to read about CORS exploits in more detailed articles.. https://www.freecodecamp.org/news/exploiting-cors-guide-to-pentesting/ for example

It seems Lemmy is storing a JWT in the cookiejar, so with Access-Control-Allow-Credentials:true and the domain in Access-Control-Allow-Origin a site should be able to do authenticated get requests on a users behave with the JWT, and access personal data.

The "GET https://programming.dev/api/v3/private_message/" endpoint for example, would let someone read the private messages someone has send/received

I'm not sure whether someone could do POST requests and add credentials from the cookiejar this way though