Cannot access Atom feeds from Javascript (CORS issue) #6329
Labels
bug
Something isn't working
Comments
|
Right now Mastodon renders atom fees with the logged-in users context, so
adding CORS headers would make us vulnerable to cross site scripting
requests that would leak private data. This should be fixable though.
…On Mon, Jan 22, 2018, 1:02 PM Nicholas Killewald ***@***.***> wrote:
I'm working on a simple StatusNet (GNU Social, Mastodon, etc) Javascript
widget, so one could, for instance, embed a StatusNet feed into a website.
It's mostly for my own use on my own server, but I'm trying to make it as
useful as possible for people with other setups than I use.
The way I have it set up, you give the widget an Atom feed, it downloads
it, and it formats the posts. This works fine on my GNU Social setup, but
it fails on any Mastodon instance I try it on, owing to the Atom feeds not
being sent with Access-Control-Allow-Origin headers. Javascript refuses to
do anything with that for (very good) security reasons.
I'll admit I haven't done much work involving Javascript reading data from
remote APIs like this, so this may seem like a naive question, but is there
a specific reason why Mastodon doesn't return that header when fetching a
user's Atom feed? And if not, would it be possible to update it to do so?
I'm not currently running a Mastodon instance; this is just from the
perspective of a developer reading data from a feed.
------------------------------
- I searched or browsed the repo’s other issues to ensure this is not
a duplicate.
- This bug happens on a tagged release
<https://github.com/tootsuite/mastodon/releases> and not on master (If
you're a user, don't worry about this).
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#6329>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAORV1wLuU_OH6PxcRS5EpE3tXVax5a9ks5tNM1FgaJpZM4RoY8L>
.
|
|
Note that browsers won't send credentials (i.e. cookies) on cross-origin requests unless the server allowed explicitly via |
|
Same issue for ActivityPub endpoints |
|
Same issue for the status embed endpoint. For example: https://fosstodon.org/@measlytwerp/100568808235949213/embed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm working on a simple StatusNet (GNU Social, Mastodon, etc) Javascript widget, so one could, for instance, embed a StatusNet feed into a website. It's mostly for my own use on my own server, but I'm trying to make it as useful as possible for people with other setups than I use.
The way I have it set up, you give the widget an Atom feed, it downloads it, and it formats the posts. This works fine on my GNU Social setup, but it fails on any Mastodon instance I try it on, owing to the Atom feeds not being sent with Access-Control-Allow-Origin headers. Javascript refuses to do anything with that for (very good) security reasons.
I'll admit I haven't done much work involving Javascript reading data from remote APIs like this, so this may seem like a naive question, but is there a specific reason why Mastodon doesn't return that header when fetching a user's Atom feed? And if not, would it be possible to update it to do so?
I'm not currently running a Mastodon instance; this is just from the perspective of a developer reading data from a feed.
master(If you're a user, don't worry about this).The text was updated successfully, but these errors were encountered: