data0

joined 1 year ago
[–] data0 1 points 1 year ago (1 children)

What are the exact attack vectors you're thinking of?

[–] data0 1 points 1 year ago (3 children)

Setting it to * will prevent the browser from including credentials in the request (cookies). Dynamically setting it to the origin of the requesting client effectively does the same but also allows for using credentials.

[–] data0 3 points 1 year ago* (last edited 1 year ago) (1 children)

The Access-Control-Allow-Origin is meant to be set on the server side and is part of a mechanism called CORS. MDN has a good guide on CORS (It might seem too long and complex to read if you just want to access some data on an API, but knowing how it works is essential if you plan to work with HTTP-based APIs.)

In short, lemmy.ml (and probably most other Lemmy instances) doesn't seem to allow API access from within a browser. You'll have to build a Node.js proxy (with lemmy-js-client) and use that to connect the browser to.