Skip to content
Extraits de code Groupes Projets
Sélectionner une révision Git
  • preprod par défaut protégée
  • main
  • v3.4.6-facil
  • v3.4.6-facil2
  • v3.4.1-facil
  • v2.8.0-facil
  • v2.7.4-facil
7 résultats
Recherche par auteur
  • Tout auteur
  • Admin. sys. Admin. sys. root
  • Antoine Desrosiers Antoine Desrosiers antdesros
  • Benoit Pruneau Benoit Pruneau bpruneau
  • Charles Robert Charles Robert crobert
  • Daniel Allaire Daniel Allaire allaire.dan
  • François Pelletier François Pelletier franc00018
  • fredyrouge fredyrouge fredyrouge
  • Manuel Viens Manuel Viens manuelviens
  • Mathieu Benoit Mathieu Benoit mathben
  • Mathieu Gauthier-Pilote Mathieu Gauthier-Pilote mathieugp
  • Pierre Duchemin Pierre Duchemin pierreduchemin
  • Romain Dessort Romain Dessort billux
  • Sébastien Blin Sébastien Blin AmarOk1412
  • Stéphane Lussier Stéphane Lussier stephane.lussier
  • yl yl yl77
15 auteurs
  1. déc. 10, 2018
  3. oct. 25, 2018
    • Ben Lubar's avatar
      Allow cross-origin requests to /.well-known/* URLs. (#9083) · 13e049d7
      Ben Lubar a rédigé 
      Right now, this includes three endpoints: host-meta, webfinger, and change-password.

host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser.

change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled.

The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.
      13e049d7
  5. avr. 12, 2018