Julia EvansFeb 4

something I don't think I've ever seen explained is whether there's any situation where it's safe to set "Access-Control-Allow-Origin: *" other than "if your site literally never serves any private data"

(I often hear "don't do it" which is fair I guess, but also like the Mastodon API intentionally sets Access-Control-Allow-Origin: * and that's extremely useful)

Show threadJulia EvansFeb 4

also is there any name for the attack(s) that setting "Access-Control-Allow-Origin: *" might expose you to? i feel like it's so much easier to talk about security stuff in terms of the specific threats we're trying to avoid, but I can't think of the name for it

(edit: I think it's CSRF)

Show threadJulia EvansFeb 5
huh I'm not sure if this is true but this post argues that it's generally fine to set Access-Control-Allow-Origin: * (as long as you don't set Access-Control-Allow-Credentials, and as long as the API is public and not on an intranet) https://advancedweb.hu/is-access-control-allow-origin-star-insecure/
Is Access-Control-Allow-Origin: * insecure?

Disabling a security feature is usually a bad thing. In this case, it's fine

Show threadchrysn
@b0rk I agree. Like other legacy-caused rituals (meta color-scheme and meta viewport width, full rant at
https://chaos.social/@chrysn/115988387148359810) it says "I'm not doing the weird stuff that you came to expect from web devs"; in this case, the weird stuff would be treating some requests differently (eg. without access control) just due to their network address.
chrysn (@[email protected])

@[email protected] And there's another line by which every modern dev has to greet the hat of browsers bowing to people's inability to follow standards: <meta name="color-scheme" content="dark light"> Way before smartphones and dark mode, I was taught by @[email protected] to not assume default colors, and thus to only set foreground colors I also set background colors -- in case someone has unconventional defaults. (Along with using percentages vs absolute lengths to work, and not assuming any DPI value).

chaos.social
Feb 5 at 8:49pmWeb