something I don't think I've ever seen explained is whether there's any situation where it's safe to set "Access-Control-Allow-Origin: *" other than "if your site literally never serves any private data"
(I often hear "don't do it" which is fair I guess, but also like the Mastodon API intentionally sets Access-Control-Allow-Origin: * and that's extremely useful)
also is there any name for the attack(s) that setting "Access-Control-Allow-Origin: *" might expose you to? i feel like it's so much easier to talk about security stuff in terms of the specific threats we're trying to avoid, but I can't think of the name for it
(edit: I think it's CSRF)
@b0rk
Off the top of my head check out "HTTP verbs and CSRF" on Wikipedia
https://en.wikipedia.org/wiki/Cross-site_request_forgery
(Though idk if CSRF is the right name for these attacks, it's got a nice ring to it)
Julia Evans
luca