mastodon

Commit Graph

Author	SHA1	Message	Date
ThibG	3f12c07ff5	Use same CORS policy for /@:username and /users/:username (#9485 ) Fixes #8189 rack-cors being called before the application router, it does not follow the redirection, and we need a separate rule for /users/:username.	2018-12-10 21:39:47 +01:00
Ben Lubar	13e049d772	Allow cross-origin requests to /.well-known/* URLs. (#9083 ) Right now, this includes three endpoints: host-meta, webfinger, and change-password. host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser. change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled. The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.	2018-10-25 03:13:35 +02:00
Yamagishi Kazutoshi	50529cbceb	Upgrade Rails to version 5.2.0 (#5898 )	2018-04-12 14:45:17 +02:00

Author

SHA1

Message

Date

ThibG

3f12c07ff5

Use same CORS policy for /@:username and /users/:username (#9485 )

Fixes #8189

rack-cors being called before the application router, it does not follow
the redirection, and we need a separate rule for /users/:username.

2018-12-10 21:39:47 +01:00

Ben Lubar

13e049d772

Allow cross-origin requests to /.well-known/* URLs. (#9083 )

Right now, this includes three endpoints: host-meta, webfinger, and change-password.

host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser.

change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled.

The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.

2018-10-25 03:13:35 +02:00

Yamagishi Kazutoshi

50529cbceb

Upgrade Rails to version 5.2.0 (#5898 )

2018-04-12 14:45:17 +02:00

3 Commits