Mandate Access-Control-Allow Origin: *
for files available in public to allow browser based clients
#653
Labels
Access-Control-Allow Origin: *
for files available in public to allow browser based clients
#653
If a server is serving CSAF 2.0 related files to the public it MUST set the HTTP-Header
Access-Control-Allow-Origin: *
to allow web browser based clients.This header setting allows "cross origin resource-sharing" (CORS), so that an application within a browser from a third party domain can access the CSAF information (like security.txt, provider-medata.json, ROLIE files and csaf documents itself).
Without this header for example a single page application cannot access the contents of the files of a CSAF Provider. See the following code example, which you can run in a web browser with javascript enabled (save it as
testcors.html
and open it with the browser).You will not see any contents. If you comment out the WID url and use the one from a testing json file, it can be seen that the contents is displayed. A look into the development tools and the network requests shows that a respective header is given.
References:
The text was updated successfully, but these errors were encountered: