CORS allowances

[x4e]

At the moment browsers won't allow pages to make requests to wicrs servers on different origins due to CORS.
Adding a header like

Access-Control-Allow-Origin: *

should fix this.

Might need discussion over potential security issues.

[willemml]

So does this mean that a web client hosted at web.wic.rs would not be able to make requests to both server.wic.rs and wicrs.example.com?

[x4e]

I think it would be able to access the first but not the second. Not entirely sure though, might not be able to access either.

[willemml]

I think for now I will set

Access-Control-Allow-Origin: *

as you suggested earlier, might change later if a better way of doing this comes up...

[Tigermouthbear]

btw, CORS shouldn't be allowed for cookie authenticated routes unless you are whitelisting a trusted domain. If you do allow CORS on all origins, any site will be able to make authenticated requests on the user's behalf.

[willemml]

So no web clients for WICRS without them being added to the CORS settings in the WICRS server? (This also causes problems with possible electron apps.) Or do you mean just Cookie authenticated, so as long as everything outside of specifically authorized domains is authenticated by say a token given in the URL or request body?

[Tigermouthbear]

As long as you aren't using cookie authentication it should be okay, although it still may make you more susceptible to CSRF attacks. You should read this article which gives some tips on mitigating it: https://security.stackexchange.com/questions/62036/is-open-to-all-cors-safe-for-non-cookie-based-authentication-schemes-e-g-oauth