Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow cross-origin requests to /.well-known/* URLs. #9083

Merged
merged 1 commit into from Oct 25, 2018

Conversation

@BenLubar
Copy link
Contributor

commented Oct 24, 2018

Right now, this includes three endpoints: host-meta, webfinger, and change-password.

host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser.

change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled.

The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.

Allow cross-origin requests to /.well-known/* URLs.
Right now, this includes three endpoints: host-meta, webfinger, and change-password.

host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser.

change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled.

The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.
@ykzts
ykzts approved these changes Oct 24, 2018

@Gargron Gargron merged commit 13e049d into tootsuite:master Oct 25, 2018

11 checks passed

ci/circleci: build Your tests passed on CircleCI!
Details
ci/circleci: check-i18n Your tests passed on CircleCI!
Details
ci/circleci: install Your tests passed on CircleCI!
Details
ci/circleci: install-ruby2.3 Your tests passed on CircleCI!
Details
ci/circleci: install-ruby2.4 Your tests passed on CircleCI!
Details
ci/circleci: install-ruby2.5 Your tests passed on CircleCI!
Details
ci/circleci: test-ruby2.3 Your tests passed on CircleCI!
Details
ci/circleci: test-ruby2.4 Your tests passed on CircleCI!
Details
ci/circleci: test-ruby2.5 Your tests passed on CircleCI!
Details
ci/circleci: test-webui Your tests passed on CircleCI!
Details
codeclimate All good!
Details
cyber-gene added a commit to ikebuku-ro/mastodon that referenced this pull request Oct 25, 2018
Merge branch 'master' of github.com:tootsuite/mastodon
* 'master' of github.com:tootsuite/mastodon: (33 commits)
  i18n: Update Polish translation (tootsuite#9070)
  Bump parallel_tests from 2.24.0 to 2.25.0 (tootsuite#9090)
  Bump aws-sdk-s3 from 1.21.0 to 1.23.0 (tootsuite#9089)
  Bump version to 2.6.0rc2 (tootsuite#9087)
  Allow cross-origin requests to /.well-known/* URLs. (tootsuite#9083)
  Migrate all old direct messages to new conversations schema (tootsuite#9085)
  Add consistent interpolations check to CircleCI (tootsuite#9072)
  Set @body_classes to admin layout (tootsuite#9081)
  Fix missing plural keys (tootsuite#9084)
  Fix RTL layout of status display names (tootsuite#9075)
  Show upload options on click as well as hover (tootsuite#9074)
  Bump capybara from 3.9.0 to 3.10.0 (tootsuite#9077)
  Bump rspec-rails from 3.8.0 to 3.8.1 (tootsuite#9078)
  Bump i18n-tasks from 0.9.26 to 0.9.27 (tootsuite#9079)
  Fix JS error when posting from page without router context (tootsuite#9073)
  Bump i18n-tasks from 0.9.25 to 0.9.26 (tootsuite#9071)
  Bump parallel_tests from 2.23.0 to 2.24.0 (tootsuite#9064)
  Update Dockerfile (tootsuite#9026)
  Fix public timelines not instantly updating on compose (tootsuite#9050)
  Show suggested follows on search screen in mobile layout (tootsuite#9010)
  ...
cyber-gene added a commit to ikebuku-ro/mastodon that referenced this pull request Oct 25, 2018
Merge commit '2f0797bdbd7c25b0df3adfaa91d7b4e7bf4d513c' into production
* commit '2f0797bdbd7c25b0df3adfaa91d7b4e7bf4d513c': (30 commits)
  Bump version to 2.6.0rc2 (tootsuite#9087)
  Allow cross-origin requests to /.well-known/* URLs. (tootsuite#9083)
  Migrate all old direct messages to new conversations schema (tootsuite#9085)
  Add consistent interpolations check to CircleCI (tootsuite#9072)
  Set @body_classes to admin layout (tootsuite#9081)
  Fix missing plural keys (tootsuite#9084)
  Fix RTL layout of status display names (tootsuite#9075)
  Show upload options on click as well as hover (tootsuite#9074)
  Bump capybara from 3.9.0 to 3.10.0 (tootsuite#9077)
  Bump rspec-rails from 3.8.0 to 3.8.1 (tootsuite#9078)
  Bump i18n-tasks from 0.9.26 to 0.9.27 (tootsuite#9079)
  Fix JS error when posting from page without router context (tootsuite#9073)
  Bump i18n-tasks from 0.9.25 to 0.9.26 (tootsuite#9071)
  Bump parallel_tests from 2.23.0 to 2.24.0 (tootsuite#9064)
  Update Dockerfile (tootsuite#9026)
  Fix public timelines not instantly updating on compose (tootsuite#9050)
  Show suggested follows on search screen in mobile layout (tootsuite#9010)
  Persist volumes by default in docker-compose (tootsuite#9055)
  Revert "RTL: remove blank character inside bdi (tootsuite#9038)" (tootsuite#9056)
  Downgrade fog-openstack to 0.3.7 and fog-core to 2.1.0 (tootsuite#9049)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.