home.social

#cors — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #cors, aggregated by home.social.

  1. CW: Article: Moving a static site from GitHub to Codeberg Pages

    I was recently reminded that I wanted to try out Codeberg Pages, so I migrated a static site over from GitHub Pages. It mostly worked, and a learned a little along the way about how Codeberg Pages works.
    Read more: danq.me/2026/05/04/github-to-c

    #article #codeberg #cors #git #github #web

  2. I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.

    I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.

    But the 🧑‍🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.

    Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?

    [1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.

    #CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt

  3. I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.

    I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.

    But the 🧑‍🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.

    Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?

    [1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.

    #CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt

  4. I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.

    I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.

    But the 🧑‍🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.

    Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?

    [1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.

    #CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt

  5. I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.

    I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.

    But the 🧑‍🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.

    Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?

    [1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.

    #CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt

  6. I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.

    I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.

    But the 🧑‍🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.

    Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?

    [1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.

    #CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt

  7. One Open-source Project Daily

    CORS Anywhere is a NodeJS reverse proxy which adds CORS headers to the proxied request.

    https://github.com/Rob--W/cors-anywhere

    #1ospd #opensource #cors #nodejs

  8. [DEV_LOG] PHASE 1.7.5.b: CORE_LOGIC_ERROR

    ​Mid-week update: It’s worse than it looks. A cascade of ReferenceErrors and TypeErrors is hitting the original build.

    ​Diagnosis: Identified a failed "Lazy Import" implementation. The browser is triggering a terminal CORS failure on load. Manifest loading is blocked. PWA/Offline capabilities are dark.

    ​We are sitting with the wreckage for now.

    #WebDev #CORS #SystemFragmentation

  9. I think I just managed to make my Object Storage (#s3 compatible) work on my #peertube

    First, it took 2 weeks because I got a bug with #ovhcloud where they wouldn't deliver the product.

    When I got it set up, it was quite straight forward. Just copy/paste all the infos and keys into the peertube config file.

    My only struggle was realizing that I had to apply some #cors settings to my bucket.

    Other than that, #yunohost makes selfhosting quite easy.

    The next step will be to migrate my videos to the instance.

    https://social.fraxoweb.com/@frank/statuses/01KG8DX3X7815RFAS3A4ZMV54C

  10. Ooooh, fcuk, it is even worse. I do a JavaScript fetch request. Internally it notices that it needs to do its CORS OPTIONS magic first. That one fails with a 404, as the developer tools show. But the fetch request itself fails. No, it does not come back with a 404 response. It just fails the fetch with

    TypeError: Failed to fetch

    This even though the OPTIONS response says

    Access-Control-Allow-Origin *

    beside the 404. This is baaaad!

    #cors #http #fetch

  11. Fun with #CORS.

    Many web devs come across CORS eventually, first reaction being WTF. Then see Stackoverflow or a chatty text randomizer to find.

    The server response lacks the Access-Control-Allow-Origin header

    which is confusing, as you're dealing with two servers at this point.

    I thought to understand it, but debugged an hour to find that an OPTIONS request for .../blabla does not follow the redirect to .../blabla/ (in Firefox at least) .😠

    developer.mozilla.org/en-US/do

    #firefox #webdev

  12. For schedules that block cross-origin access in the browser (e.g. #FOSDEM), there's now a small companion project: the Skedz CORS Proxy. A simple proxy with a domain whitelist, easy to self-host or run locally.

    Public instance: cors.skedz.org
    Example: cors.skedz.org/https://fosdem.
    Source (AGPLv3): github.com/ysorge/skedz-cors-p

    #cors #proxy #fahrplan #skedz

  13. Question for nerds and video watchers: are the closed captions available in this (you may have to enable them)?

    m.earth.org.uk/smart-radiator-

    #CORS #VTT #ClosedCaptions

  14. Wenn #Google mal seine #CORS-Header in den Griff bekommen würde, that'd be great. Seit über einer Woche versuche ich, die Öffnungszeiten der Praxis der Frau in den Suchergebnissen zu aktualisieren.

    Aber KI in die Results, DAS geht 🙄

    Bekackte Amateure.

  15. Un article un peu ancien(2021) mais qui explique le principe du CORS qui rend fou de nombreux développeurs.

    C'est un concept que je conseille à tous les dev web de maîtriser sur le bout des doigts histoire d'éviter de futures prises de tête.

    🔗 jakearchibald.com/2021/cors/

    #CORS #web

  16. Quick question for the #web #security people here:
    If a local device in your network has an API endpoint that may leak your location but has no CORS headers set, who would be able to get that data?
    My understanding is that it is not possible to get that data from another webpage (at least when a somewhat modern browser is used) but if say somebody queried that from an app you installed on your phone they could read it?
    #CORS

  17. 🎵
    Hello, CORSness, my old friend
    I've come to talk with you again

    As I've experienced repeatedly for years, #CORS (#CrossOriginResourceSharing) is notoriously difficult to understand, reason about and implement. So I should not be surprised to find a problem in #Quarkus related to it, and that it has gone unnoticed for years. #Sigh

    I hope the bug report I wrote is clear and actionable: github.com/quarkusio/quarkus/i

    I'd like to migrate @ChronoLink to Quarkus, but this bug is a showstopper for that: the obvious workaround - opening up POST/PUT/DELETE to CORS - feels risky.

    Speaking of risk: this being a hobby project means there is a real risk I won't find the time or energy to write the reproducer the Quarkus team rightly asks for. Oh well...

    #JakartaEE #Java #Programming #IndieDev

  18. An interesting #infosec case study from running #Akkoma Fediverse server with #Minio as S3-compatible object storage - during routine Minio maintenance I’ve spotted suspicious files in the S3 bucket used specifically to host Akkoma media uploads.

    All of the JSONs looked like typical vulnerability discovery markers, e.g. they contained structures like {"id":"insecure-firebase-database"}.

    The root cause was that the akkoma-media bucket had the public access policy set for read and write operations:

    # minio-client anonymous list pandora/akkoma-media
    akkoma-media/* => readwrite
    

    The fix seems to be to set the public bucket policy to readonly (download in Minio client command line)

    # minio-client anonymous set download pandora/akkoma-media
    Access permission for `pandora/akkoma-media` is set to `download`
    

    This does not impact the authenticated access policy settings for the bucket which allows Akkoma to write media into the bucket.

    I must admit the Minio documentation is a bit confusing on that aspect which contributed to my misunderstanding of these settings. In addition, the minio-client policy was now replaced by minio-client anonoymous.

    Additional protection can be provided by setting #CORS restrictions on the Minio bucket, that is only allowing specific origins (domains) to render the content from these buckets. That’s done using MINIO_API_CORS_ALLOW_ORIGIN environment variable or minio-client cors command line. Note this will only prevent using the uploaded files in a specific class of attacks on third-party clients that rely on these files being properly rendered as part of exploit HTML, but it will not prevent their upload/download to the vulnerable bucket, for use e.g. as exploit binaries.

  19. Преобразование статических сайтов в динамические с использованием API

    ​Данное руководство от разработчиков компании DST Global, раскрывает принципы трансформации статичных веб-ресурсов в интерактивные динамические платформы исключительно посредством использования API...

    #DST #DSTGlobal #ДСТ #ДСТГлобал #статическийсайт #динамическийсайт #API #JavaScript #SSG #HTML #SSR #JSON #рендеринг #CDN #REST #GraphQL #HeadlessCMS #CORS #SLA #SEO #CMS #сайт #вебсайт

    Источник: dstglobal.ru/club/1126-preobra

  20. Хватит бороться с ошибками CORS: разберемся, как они работают раз и навсегда

    Вы когда-нибудь видели в консоли сообщение вроде: «Access to fetch at '…' from origin '…' has been blocked by CORS policy»? Это как в том фильме: «Суслика видишь? — А он есть». CORS не бросается в глаза, пока все работает, но в нужный момент пресекает недопустимые действия. Например, чтение ответа на кросс-запрос без разрешения сервера. Меня зовут Баир, я разработчик в команде fuse8. В этой статье я отвечу на вопросы о том, зачем была создана CORS политика, как она устроена под капотом, почему простого действия типа «поставить заголовок на бэке» может быть мало, и какие безопасные паттерны стоит выбирать во фронтенде.

    habr.com/ru/articles/960400/

    #cors #sop #безопасность_сайтов

  21. CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):

    archive.fo/5rWqj

    #security #cors #httpheaders #http

  22. CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):

    archive.fo/5rWqj

    #security #cors #httpheaders #http

  23. CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):

    archive.fo/5rWqj

    #security #cors #httpheaders #http

  24. CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):

    archive.fo/5rWqj

  25. CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):

    archive.fo/5rWqj

    #security #cors #httpheaders #http

  26. 🌐 Network and console error diagnosis - analyze network requests for #CORS issues and inspect console logs to understand feature failures

    🎯 User behavior simulation - navigate pages, fill forms, click buttons to reproduce bugs and test complex user flows while inspecting runtime environment

    🎨 Live styling and layout debugging - connect to live pages, inspect #DOM and #CSS for concrete suggestions on complex layout problems like overflowing elements

  27. CORS для собеседований и работы

    Если вы видите эту ошибку — вы не одиноки: Access to fetch at ' api.site.com ' from origin ' http://localhost:3000 ' has been blocked by CORS policy. Разберем, почему это происходит и как это починить. Что такое CORS и для чего он нужен. Кратко, понятно.

    habr.com/ru/articles/935636/

    #CORS #безопасность #cors_ошибки #собеседования

  28. CORS для собеседований и работы

    Если вы видите эту ошибку — вы не одиноки: Access to fetch at ' api.site.com ' from origin ' http://localhost:3000 ' has been blocked by CORS policy. Разберем, почему это происходит и как это починить. Что такое CORS и для чего он нужен. Кратко, понятно.

    habr.com/ru/articles/935636/

    #CORS #безопасность #cors_ошибки #собеседования

  29. CORS для собеседований и работы

    Если вы видите эту ошибку — вы не одиноки: Access to fetch at ' api.site.com ' from origin ' http://localhost:3000 ' has been blocked by CORS policy. Разберем, почему это происходит и как это починить. Что такое CORS и для чего он нужен. Кратко, понятно.

    habr.com/ru/articles/935636/

    #CORS #безопасность #cors_ошибки #собеседования

  30. CORS для собеседований и работы

    Если вы видите эту ошибку — вы не одиноки: Access to fetch at ' api.site.com ' from origin ' http://localhost:3000 ' has been blocked by CORS policy. Разберем, почему это происходит и как это починить. Что такое CORS и для чего он нужен. Кратко, понятно.

    habr.com/ru/articles/935636/

    #CORS #безопасность #cors_ошибки #собеседования

  31. I added two modules (Weather Forecast and Digital Clock) to my #ICandy #dashboard #browser #app today with the help of #Claude4 #Sonnet. As the project gets bigger, it is more difficult to work with Sonnet because of message size, conversation size and quota limits. But it is ok. I was chatting with #Microsoft #Copilot during my down time. Now I learned more about how #VoiceVox, #CORS, #MCP, and local #HTTP work. #AI #AIs are the best invention ever for people who are willing to learn.

  32. I added two modules (Weather Forecast and Digital Clock) to my #ICandy #dashboard #browser #app today with the help of #Claude4 #Sonnet. As the project gets bigger, it is more difficult to work with Sonnet because of message size, conversation size and quota limits. But it is ok. I was chatting with #Microsoft #Copilot during my down time. Now I learned more about how #VoiceVox, #CORS, #MCP, and local #HTTP work. #AI #AIs are the best invention ever for people who are willing to learn.

  33. I added two modules (Weather Forecast and Digital Clock) to my #ICandy #dashboard #browser #app today with the help of #Claude4 #Sonnet. As the project gets bigger, it is more difficult to work with Sonnet because of message size, conversation size and quota limits. But it is ok. I was chatting with #Microsoft #Copilot during my down time. Now I learned more about how #VoiceVox, #CORS, #MCP, and local #HTTP work. #AI #AIs are the best invention ever for people who are willing to learn.

  34. I added two modules (Weather Forecast and Digital Clock) to my #ICandy #dashboard #browser #app today with the help of #Claude4 #Sonnet. As the project gets bigger, it is more difficult to work with Sonnet because of message size, conversation size and quota limits. But it is ok. I was chatting with #Microsoft #Copilot during my down time. Now I learned more about how #VoiceVox, #CORS, #MCP, and local #HTTP work. #AI #AIs are the best invention ever for people who are willing to learn.

  35. Ich hab sogar versucht mit Hilfe der KI einen Proxy in Python zu schreiben, der via Virtual Directory aus #Zoraxy heraus aufgerufen wird. Der löst zwar das #CORS Problem, zerstört aber dafür die #WebSockets von #Immich. 🙄 Falls sich jemand daran versuchen will: github.com/keineantwort/immich

  36. Ich hab sogar versucht mit Hilfe der KI einen Proxy in Python zu schreiben, der via Virtual Directory aus #Zoraxy heraus aufgerufen wird. Der löst zwar das #CORS Problem, zerstört aber dafür die #WebSockets von #Immich. 🙄 Falls sich jemand daran versuchen will: github.com/keineantwort/immich

  37. Ich hab sogar versucht mit Hilfe der KI einen Proxy in Python zu schreiben, der via Virtual Directory aus #Zoraxy heraus aufgerufen wird. Der löst zwar das #CORS Problem, zerstört aber dafür die #WebSockets von #Immich. 🙄 Falls sich jemand daran versuchen will: github.com/keineantwort/immich

  38. So. Ich hab jetzt #NPM rausgeworfen und #Zoraxy eingeführt. Jetzt bekomme ich dauerhaft #CORS Errors. Die API ist über die externe URL erreichbar. 😒