Implement CORS headers for the API

Request new functionality here
pcause
Bear Rating Master
Bear Rating Master
Posts: 144
Joined: 23 Aug 2013, 19:52

Re: Implement CORS headers for the API

Postby pcause » 17 Sep 2013, 16:07


User avatar
dxbi
Bear Rating Disaster
Bear Rating Disaster
Posts: 62
Joined: 16 Mar 2013, 13:44

Re: Implement CORS headers for the API

Postby dxbi » 17 Sep 2013, 16:50

Isn't the idea to allow cross-site requests specifically for the API (where requests contains explicit authentication as opposed to cookies) while still maintaining XSS protection for the rest of the site?

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Implement CORS headers for the API

Postby fox » 17 Sep 2013, 18:33

API supports authentication via cookies, I think. Which could be XSS'd in case of a terrible shitty "web app" written by some idiot.

User avatar
dxbi
Bear Rating Disaster
Bear Rating Disaster
Posts: 62
Joined: 16 Mar 2013, 13:44

Re: Implement CORS headers for the API

Postby dxbi » 17 Sep 2013, 19:39

Ah, alright. Didn't look at the source. The API reference says "Session ID should be specified using JSON parameter sid" so I thought this was mandatory.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Implement CORS headers for the API

Postby fox » 17 Sep 2013, 19:44

I think sid parameter overrides the cookie if it is passed, otherwise it tries the cookie.


Return to “Feature requests”

Who is online

Users browsing this forum: No registered users and 5 guests