Implement CORS headers for the API

Request new functionality here
pcause
Bear Rating Master
Bear Rating Master
Posts: 144
Joined: 23 Aug 2013, 19:52

Re: Implement CORS headers for the API

Postby pcause » 17 Sep 2013, 16:07

To return this to a (boring) topic, I felt the same as fox when I read the docs about that header. It looks like a "hit me with a XSS when I least see it coming"-thing. I can't understand the rationale of such a header, after the huge number of XSS exploits that have been made and the fact that browsers implemented a number of XSS restrictions "just to be on the safe side".


Probably for backwards compatibility. Folks want to keep accessing sites/apps that allow them to be hacked the way they used to be. Makes using the web much more exciting.

User avatar
dxbi
Bear Rating Disaster
Bear Rating Disaster
Posts: 62
Joined: 16 Mar 2013, 13:44

Re: Implement CORS headers for the API

Postby dxbi » 17 Sep 2013, 16:50

Isn't the idea to allow cross-site requests specifically for the API (where requests contains explicit authentication as opposed to cookies) while still maintaining XSS protection for the rest of the site?

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Implement CORS headers for the API

Postby fox » 17 Sep 2013, 18:33

API supports authentication via cookies, I think. Which could be XSS'd in case of a terrible shitty "web app" written by some idiot.

User avatar
dxbi
Bear Rating Disaster
Bear Rating Disaster
Posts: 62
Joined: 16 Mar 2013, 13:44

Re: Implement CORS headers for the API

Postby dxbi » 17 Sep 2013, 19:39

Ah, alright. Didn't look at the source. The API reference says "Session ID should be specified using JSON parameter sid" so I thought this was mandatory.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Implement CORS headers for the API

Postby fox » 17 Sep 2013, 19:44

I think sid parameter overrides the cookie if it is passed, otherwise it tries the cookie.


Return to “Feature requests”

Who is online

Users browsing this forum: No registered users and 2 guests