Mastodawn

something I don't think I've ever seen explained is whether there's any situation where it's safe to set "Access-Control-Allow-Origin: *" other than "if your site literally never serves any private data"

(I often hear "don't do it" which is fair I guess, but also like the Mastodon API intentionally sets Access-Control-Allow-Origin: * and that's extremely useful)

Show thread

Frederik Braun �Feb 4

@b0rk the wildcard isn’t as bad as it sounds. It only allows anonymous requests(=no cookies). If you want to be truly permissive, you need to reflect the incoming Origin header.

@freddy TIL

@freddy that does make me feel even less clear about why it would not be safe to set Access-Control-Origin: * though

Show thread

Anton 🇺🇦🇪🇺

@b0rk In my head, the feature is similar to the CSP frame-ancestors directive. It is not really solving a direct security issue but it is preemptively blocking malicious websites from misusing your website. For example, a website could be a full-screen iframe of your website, but also add a popup box that asks for donations to your page, which then ends in a scammer's pockets. By blocking acces to your website resources, you make it significantly harder to pull off such a scam.