Message7518
Two other notes:
I just added a Vary: Origin header to the rest responses since the existing OPTIONS
handlers can be wrapped to implement origin filtering and return different info based
on origin.
CSRF Origin checks currently have to be turned off for CORS REST calls.
This check either needs to be:
driven off a prefix table that can be set in config.ini or by interfaces.py.
If the origin sent by the client is matched by a prefix:
['https://foo.bar/', 'https://example.com', 'http://example.com']
in the table then the origin check passes. Right now the prefix is the tracker url.
is re-implemented as a method on the client object that can be wrapped/overridden in
interfaces.py.
I am leaning toward the prefix table from config.ini myself as I think it can be used to
implement origin filtering for preflight requests in the core code.
An open question is what to return if an origin check fails in preflight or in cors.
* return some 400 value
* remove Access-Control-Allow-Origin header with no other change. This will fail a
prefetch and prevent the data returned from being accessible to JavaScript IIUC. |
|
Date |
User |
Action |
Args |
2022-05-12 22:14:41 | rouilj | set | messageid: <1652393681.02.0.0195295091011.issue2551203@roundup.psfhosted.org> |
2022-05-12 22:14:41 | rouilj | set | recipients:
+ rouilj, schlatterbeck, marcus.priesch |
2022-05-12 22:14:41 | rouilj | link | issue2551203 messages |
2022-05-12 22:14:40 | rouilj | create | |
|