Mastodawn

something I don't think I've ever seen explained is whether there's any situation where it's safe to set "Access-Control-Allow-Origin: *" other than "if your site literally never serves any private data"

(I often hear "don't do it" which is fair I guess, but also like the Mastodon API intentionally sets Access-Control-Allow-Origin: * and that's extremely useful)

Show thread

Frederik Braun �Feb 4

@b0rk the wildcard isn’t as bad as it sounds. It only allows anonymous requests(=no cookies). If you want to be truly permissive, you need to reflect the incoming Origin header.

@freddy TIL

@freddy that does make me feel even less clear about why it would not be safe to set Access-Control-Origin: * though

Show thread

L. David Baron Feb 5

@b0rk @freddy My understanding is that it is designed to be safe to set for any site that is reachable from the public Internet.

In other words, a bunch of early browser security model decisions were made to prevent exfiltration of data from behind corporate firewalls.

ACAO:* is designed to be the thing that you can set globally in the server configuration for servers that are public, to fix the things that don't need to be blocked for public servers.

Show thread

L. David Baron

@b0rk @freddy I think the canonical historical reference for this being the intent is https://annevankesteren.nl/2012/12/cors-101

Show thread

Frederik Braun �Feb 5

@dbaron @b0rk thanks for finding this article. My recollection is also that it’s meant to support private networks (home routers etc) snd generally align with previous security models (back compat).