Mastodawn

something I don't think I've ever seen explained is whether there's any situation where it's safe to set "Access-Control-Allow-Origin: *" other than "if your site literally never serves any private data"

(I often hear "don't do it" which is fair I guess, but also like the Mastodon API intentionally sets Access-Control-Allow-Origin: * and that's extremely useful)

Show thread

Julia Evans Feb 4

also is there any name for the attack(s) that setting "Access-Control-Allow-Origin: *" might expose you to? i feel like it's so much easier to talk about security stuff in terms of the specific threats we're trying to avoid, but I can't think of the name for it

(edit: I think it's CSRF)

Show thread

Julia Evans Feb 5

huh I'm not sure if this is true but this post argues that it's generally fine to set Access-Control-Allow-Origin: * (as long as you don't set Access-Control-Allow-Credentials, and as long as the API is public and not on an intranet) https://advancedweb.hu/is-access-control-allow-origin-star-insecure/

Is Access-Control-Allow-Origin: * insecure?

Disabling a security feature is usually a bad thing. In this case, it's fine

Show thread

Viss Feb 5

@b0rk i have found in the last like, ten years of internetting that convincing people to take shit offline and put it behind a firewall or nat or SOMETHING so that the entire planet cant see/hit it is a sorta sisyphean task. it hasnt stopped me from trying tho :D

Show thread

Adam Katz

@Viss @b0rk it's also common for admins of such sites to leave the default password in place (and most software/appliances have static or externally predictable default creds). Sisyphus had an easier task.