Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow cross-origin requests to /.well-known/* URLs. #9083

Merged
merged 1 commit into from Oct 25, 2018

Commits on Oct 24, 2018

  1. Allow cross-origin requests to /.well-known/* URLs.

    Right now, this includes three endpoints: host-meta, webfinger, and change-password.
    
    host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser.
    
    change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled.
    
    The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.
    BenLubar committed Oct 24, 2018
    Copy the full SHA
    a7e3d48 View commit details
    Browse the repository at this point in the history