Julia EvansFeb 4

something I don't think I've ever seen explained is whether there's any situation where it's safe to set "Access-Control-Allow-Origin: *" other than "if your site literally never serves any private data"

(I often hear "don't do it" which is fair I guess, but also like the Mastodon API intentionally sets Access-Control-Allow-Origin: * and that's extremely useful)

Show threadJulia EvansFeb 4

also is there any name for the attack(s) that setting "Access-Control-Allow-Origin: *" might expose you to? i feel like it's so much easier to talk about security stuff in terms of the specific threats we're trying to avoid, but I can't think of the name for it

(edit: I think it's CSRF)

Show threadJulia EvansFeb 5
huh I'm not sure if this is true but this post argues that it's generally fine to set Access-Control-Allow-Origin: * (as long as you don't set Access-Control-Allow-Credentials, and as long as the API is public and not on an intranet) https://advancedweb.hu/is-access-control-allow-origin-star-insecure/
Is Access-Control-Allow-Origin: * insecure?

Disabling a security feature is usually a bad thing. In this case, it's fine

Show threadTaggartFeb 5
@b0rk Very very "it depends." Any resource that is account-sensitive or susceptible to CSRF as mentioned above should be locked down harder. On the other hand, in some cases you need ACAO: *.
Show threadJulia EvansFeb 5
@mttaggart interesting, thanks! been trying to find reasons why setting ACAO: * might be problematic (other than the 2 reasons in that blog posts) and i haven't been able to yet but I'll keep looking
Show threadevanaFeb 5

@mttaggart @b0rk I think this is the other thing that's challenging about CORS (and security in general) -- it's hard to get a "yes, that's safe" answer. There's a mix of "it depends" and "here's _one_ example of an unsafe pattern", but "I know two unsafe patterns" does not indicate that all other patterns are safe.

In general, it's hard to prove a negative (i.e. "there are no security flaws in this design"), and since the security discussion is generally pointed towards risk-avoidance, you'll rarely get clear "do X" advice. If you can produce some on this (like a "web security basics" zine), I would buy it. 😁

Show threadJulia Evans
@evana @mttaggart I'm very far from being a security expert but usually I think of security discussions in terms of threat modelling, and I feel like knowing about more possible risks helps me make my threat models more accurate
Feb 5 at 8:39pmWeb