Hey Beehaw mods!

I’m currently working on a Lemmy web client, but the lack of proper CORS headers is preventing anything from working :(

I just wanted to ask if the appropriate CORS headers could be added to the front-facing proxy layer. If you’re using Caddy, I believe something like this should do the trick:

reverse_proxy ... {
  header_down Access-Control-Allow-Origin *
  header_down Access-Control-Allow-Methods *
  header_down Access-Control-Allow-Headers *
}

Relevant issue: https://github.com/LemmyNet/lemmy/issues/3109

  • PenguinCoder@beehaw.orgM
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    I see the request, thanks for the ping. Those CORS headers are not appropriate, it would essentially remove any protections that CORS offers. I’d rather not completely strip away that security for a single app, when others can certainly abuse or try to exploit such.

    The asterisk wild-card permits scripts hosted on any site to load your resources; listing a specific <base URI> will permit scripts hosted on the specified site – and no others – to load your resources.

    @diamond@beehaw.org Happy to work with you on this, but I’d request a much more specific source and which resources of Beehaw you’d want that on.

    • diamond (she/they)@beehaw.orgOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Thank you for the reply, I really appreciate it! Currently, my app has been migrated to the WS API so development can continue for now until the WS is removed completely in a later release or Lemmy addresses the CORS issue upstream.

      As for the security concerns, I believe that most of them are addressed in this comment that is in the particular issue that I linked above.

      It’s worth noting that CORS really only applies in the browser and that the WS API currently bypasses this protection (hence me being able to continue with the development).