Mastodawn

something I don't think I've ever seen explained is whether there's any situation where it's safe to set "Access-Control-Allow-Origin: *" other than "if your site literally never serves any private data"

(I often hear "don't do it" which is fair I guess, but also like the Mastodon API intentionally sets Access-Control-Allow-Origin: * and that's extremely useful)

Show thread

Erik Sturcke

@b0rk yeah interesting. I don’t know that it is a problem. cookies/credentials can’t be sent (as part of the header) by browsers with the wildcard allow origin so you typically wouldn’t set that when you required an authenticated request.