Julia EvansFeb 4

something I don't think I've ever seen explained is whether there's any situation where it's safe to set "Access-Control-Allow-Origin: *" other than "if your site literally never serves any private data"

(I often hear "don't do it" which is fair I guess, but also like the Mastodon API intentionally sets Access-Control-Allow-Origin: * and that's extremely useful)

Show threadJulia EvansFeb 4

also is there any name for the attack(s) that setting "Access-Control-Allow-Origin: *" might expose you to? i feel like it's so much easier to talk about security stuff in terms of the specific threats we're trying to avoid, but I can't think of the name for it

(edit: I think it's CSRF)

Show threadNiko~ 🇱🇺 Feb 4
@b0rk I mean there is multiple different attacks that you can perform after that, and a name would depend on which attack is performed but if you want an umbrella term, one could suggest “Cross-Origin Data Exposure”. If you wanna be verbose and more specific, you could say “Cross site request forgery-assisted data theft”
Show threadNiko~ 🇱🇺 
@b0rk ah i see i was too slow
Feb 4 at 8:37pmWeb