Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: allow cross-origin requests between users' own apps#7688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
code-asher merged 7 commits intomainfromasher/cors
Jun 7, 2023

Conversation

code-asher
Copy link
Member

Closes#5706

@code-ashercode-asher changed the titleAllow cross-origin requests between users' own appsfeat: Allow cross-origin requests between users' own appsMay 25, 2023
@code-asher
Copy link
MemberAuthor

code-asher commentedMay 25, 2023
edited
Loading

Originally I also overwrote CORS-related headers from the application (if it set any) but I ended up removing that because:

a) Currently users can already set their own headers (aside from OPTIONS requests) so this would be adding a new restriction I am not yet sure we want.
b) Not sure if allowing that has any security downsides. Nothing I can think of, at least. Nothing that uniquely affects cross-origin requests I should say.

@code-ashercode-asher requested a review fromEmyrkMay 25, 2023 23:29
@code-ashercode-asher marked this pull request as ready for reviewMay 30, 2023 15:26
@code-ashercode-asher changed the titlefeat: Allow cross-origin requests between users' own appsfeat: allow cross-origin requests between users' own appsMay 31, 2023
@Emyrk
Copy link
Member

Because we issue auth cookies based on each subdomain, I think we are going to get 403 forbidden on these CORs requests unless the user authenticated to the other domain first.

But we can handle that later, just going to crop up quick 😢

@code-asher
Copy link
MemberAuthor

Because we issue auth cookies based on each subdomain, I think we are going to get 403 forbidden on these CORs requests unless the user authenticated to the other domain first.

Ahh good point, tested to confirm this is indeed a problem, the requests get redirected to auth.

But we can handle that later, just going to crop up quick

Yeah I will merge this in for now, I have no idea how we are going to solve it though. Maybe we can at least return an error on cross-origin requests that says "you have to go authenticate first". Or if we can somehow authenticate without the redirection.

I think it was lost when I was resolving a conflict here.
@code-ashercode-asher merged commitf0c5201 intomainJun 7, 2023
@code-ashercode-asher deleted the asher/cors branchJune 7, 2023 19:08
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsJun 7, 2023
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@EmyrkEmyrkEmyrk approved these changes

@kylecarbskylecarbskylecarbs left review comments

Assignees

@code-ashercode-asher

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CORS is not permitted between multiple subdomain workspace apps
3 participants
@code-asher@Emyrk@kylecarbs
[8]ページ先頭
©2009-2025 Movatter.jp