#cors — Public Fediverse posts

I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.

I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.

But the 🧑‍🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.

Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?

[1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.

#CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt

I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.

I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.

But the 🧑‍🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.

Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?

[1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.

#CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt

I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.

I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.

But the 🧑‍🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.

Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?

[1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.

#CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt

I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.

I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.

But the 🧑‍🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.

Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?

[1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.

#CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt

I just renewed my vehicle registration/insurance. We have a provincial crown corporation here that has a monopoly on it.

I ran into a problem with their "new & improved!" website [1]. I always do. This one is boring; like 90% of the issues I run into, it's because the developers have only tested the site with Chrome, and they're violating CORS policy (a security thing) so Firefox prevents a request trying to fetch part of the page contents. Chrome doesn't give a damn, it doesn't want to stop any trackers or anything.

But the 🧑‍🍳 😘 in the whole thing is ... there are various "Feedback" links and buttons. I want to report the issue, so I try them, and ... they haven't actually provided the HREF attribute on the links/buttons at all. They are literally not hooked up to anything.

Good testing on the new site, boys! You sure you didn't miss testing any of the functionality?

[1] Why companies absolutely insist on regularly improving their websites into unusability escapes me. As I mentioned elsewhere, it's not like the HTML of the working site has a best-before date on it.

#CADT #WebDeveloper #Firefox #CORS #HREF #feedback #NewAndImproved #qwality #WeveHeardOfIt

One Open-source Project Daily

CORS Anywhere is a NodeJS reverse proxy which adds CORS headers to the proxied request.

https://github.com/Rob--W/cors-anywhere

#1ospd #opensource #cors #nodejs

[DEV_LOG] PHASE 1.7.5.b: CORE_LOGIC_ERROR

​Mid-week update: It’s worse than it looks. A cascade of ReferenceErrors and TypeErrors is hitting the original build.

​Diagnosis: Identified a failed "Lazy Import" implementation. The browser is triggering a terminal CORS failure on load. Manifest loading is blocked. PWA/Offline capabilities are dark.

​We are sitting with the wreckage for now.

#WebDev #CORS #SystemFragmentation

I think I just managed to make my Object Storage (#s3 compatible) work on my #peertube

First, it took 2 weeks because I got a bug with #ovhcloud where they wouldn't deliver the product.

When I got it set up, it was quite straight forward. Just copy/paste all the infos and keys into the peertube config file.

My only struggle was realizing that I had to apply some #cors settings to my bucket.

Other than that, #yunohost makes selfhosting quite easy.

The next step will be to migrate my videos to the instance.

https://social.fraxoweb.com/@frank/statuses/01KG8DX3X7815RFAS3A4ZMV54C

Ooooh, fcuk, it is even worse. I do a JavaScript fetch request. Internally it notices that it needs to do its CORS OPTIONS magic first. That one fails with a 404, as the developer tools show. But the fetch request itself fails. No, it does not come back with a 404 response. It just fails the fetch with

TypeError: Failed to fetch

This even though the OPTIONS response says

Access-Control-Allow-Origin *

beside the 404. This is baaaad!

#cors #http #fetch

Fun with #CORS.

Many web devs come across CORS eventually, first reaction being WTF. Then see Stackoverflow or a chatty text randomizer to find.

The server response lacks the Access-Control-Allow-Origin header

which is confusing, as you're dealing with two servers at this point.

I thought to understand it, but debugged an hour to find that an OPTIONS request for .../blabla does not follow the redirect to .../blabla/ (in Firefox at least) .😠

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSMissingAllowOrigin?utm_source=devtools&utm_medium=firefox-cors-errors&utm_campaign=default

#firefox #webdev

For schedules that block cross-origin access in the browser (e.g. #FOSDEM), there's now a small companion project: the Skedz CORS Proxy. A simple proxy with a domain whitelist, easy to self-host or run locally.

Public instance: https://cors.skedz.org
Example: https://cors.skedz.org/https://fosdem.org/2026/schedule/xml
Source (AGPLv3): https://github.com/ysorge/skedz-cors-proxy

#cors #proxy #fahrplan #skedz

Question for nerds and video watchers: are the closed captions available in this (you may have to enable them)?

https://m.earth.org.uk/smart-radiator-valves-talk-20201112.html

#CORS #VTT #ClosedCaptions

Wenn #Google mal seine #CORS-Header in den Griff bekommen würde, that'd be great. Seit über einer Woche versuche ich, die Öffnungszeiten der Praxis der Frau in den Suchergebnissen zu aktualisieren.

Aber KI in die Results, DAS geht 🙄

Bekackte Amateure.

Un article un peu ancien(2021) mais qui explique le principe du CORS qui rend fou de nombreux développeurs.

C'est un concept que je conseille à tous les dev web de maîtriser sur le bout des doigts histoire d'éviter de futures prises de tête.

🔗 https://jakearchibald.com/2021/cors/

#CORS #web

Quick question for the #web #security people here:
If a local device in your network has an API endpoint that may leak your location but has no CORS headers set, who would be able to get that data?
My understanding is that it is not possible to get that data from another webpage (at least when a somewhat modern browser is used) but if say somebody queried that from an app you installed on your phone they could read it?
#CORS

🎵
Hello, CORSness, my old friend
I've come to talk with you again

As I've experienced repeatedly for years, #CORS (#CrossOriginResourceSharing) is notoriously difficult to understand, reason about and implement. So I should not be surprised to find a problem in #Quarkus related to it, and that it has gone unnoticed for years. #Sigh

I hope the bug report I wrote is clear and actionable: https://github.com/quarkusio/quarkus/issues/51541

I'd like to migrate @ChronoLink to Quarkus, but this bug is a showstopper for that: the obvious workaround - opening up POST/PUT/DELETE to CORS - feels risky.

Speaking of risk: this being a hobby project means there is a real risk I won't find the time or energy to write the reproducer the Quarkus team rightly asks for. Oh well...

#JakartaEE #Java #Programming #IndieDev

An interesting #infosec case study from running #Akkoma Fediverse server with #Minio as S3-compatible object storage - during routine Minio maintenance I’ve spotted suspicious files in the S3 bucket used specifically to host Akkoma media uploads.

All of the JSONs looked like typical vulnerability discovery markers, e.g. they contained structures like {"id":"insecure-firebase-database"}.

The root cause was that the akkoma-media bucket had the public access policy set for read and write operations:

# minio-client anonymous list pandora/akkoma-media
akkoma-media/* => readwrite

The fix seems to be to set the public bucket policy to readonly (download in Minio client command line)

# minio-client anonymous set download pandora/akkoma-media
Access permission for `pandora/akkoma-media` is set to `download`

This does not impact the authenticated access policy settings for the bucket which allows Akkoma to write media into the bucket.

I must admit the Minio documentation is a bit confusing on that aspect which contributed to my misunderstanding of these settings. In addition, the minio-client policy was now replaced by minio-client anonoymous.

Additional protection can be provided by setting #CORS restrictions on the Minio bucket, that is only allowing specific origins (domains) to render the content from these buckets. That’s done using MINIO_API_CORS_ALLOW_ORIGIN environment variable or minio-client cors command line. Note this will only prevent using the uploaded files in a specific class of attacks on third-party clients that rely on these files being properly rendered as part of exploit HTML, but it will not prevent their upload/download to the vulnerable bucket, for use e.g. as exploit binaries.

Преобразование статических сайтов в динамические с использованием API

​Данное руководство от разработчиков компании DST Global, раскрывает принципы трансформации статичных веб-ресурсов в интерактивные динамические платформы исключительно посредством использования API...

#DST #DSTGlobal #ДСТ #ДСТГлобал #статическийсайт #динамическийсайт #API #JavaScript #SSG #HTML #SSR #JSON #рендеринг #CDN #REST #GraphQL #HeadlessCMS #CORS #SLA #SEO #CMS #сайт #вебсайт

Источник: https://dstglobal.ru/club/1126-preobrazovanie-staticheskih-saitov-v-dinamicheskie-s-ispolzovaniem-api

Хватит бороться с ошибками CORS: разберемся, как они работают раз и навсегда

Вы когда-нибудь видели в консоли сообщение вроде: «Access to fetch at '…' from origin '…' has been blocked by CORS policy»? Это как в том фильме: «Суслика видишь? — А он есть». CORS не бросается в глаза, пока все работает, но в нужный момент пресекает недопустимые действия. Например, чтение ответа на кросс-запрос без разрешения сервера. Меня зовут Баир, я разработчик в команде fuse8. В этой статье я отвечу на вопросы о том, зачем была создана CORS политика, как она устроена под капотом, почему простого действия типа «поставить заголовок на бэке» может быть мало, и какие безопасные паттерны стоит выбирать во фронтенде.

https://habr.com/ru/articles/960400/

#cors #sop #безопасность_сайтов

CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):

https://archive.fo/5rWqj

#security #cors #httpheaders #http

CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):

https://archive.fo/5rWqj

#security #cors #httpheaders #http

CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):

https://archive.fo/5rWqj

#security #cors #httpheaders #http

CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):

https://archive.fo/5rWqj

#security #cors #httpheaders #http

CORS Explained: Stop Struggling With Cross-Origin Errors, by (not on Mastodon or Bluesky):

https://archive.fo/5rWqj

#security #cors #httpheaders #http

🌐 Network and console error diagnosis - analyze network requests for #CORS issues and inspect console logs to understand feature failures

🎯 User behavior simulation - navigate pages, fill forms, click buttons to reproduce bugs and test complex user flows while inspecting runtime environment

🎨 Live styling and layout debugging - connect to live pages, inspect #DOM and #CSS for concrete suggestions on complex layout problems like overflowing elements

As #Invidious and piped.video are not to be used by third parties (for good and understandable reasons) and for those who can't or don't want to self-host, is there still a #privacy-preserving non-#CORS #YouTube proxy REST API out there somewhere?

#FollowerPower #privacyMatters #MyPrivacyisNoneOfYourBusiness #SurveillanceCapitalism #dataCapitalism #platformCapitalism #digitalFeudalism #GDPR #predatoryCapitalism #privacyPreserving #privacyFriendly #privacyRespecting #digitalSelfDefense

CORS для собеседований и работы

Если вы видите эту ошибку — вы не одиноки: Access to fetch at ' https://api.site.com ' from origin ' http://localhost:3000 ' has been blocked by CORS policy. Разберем, почему это происходит и как это починить. Что такое CORS и для чего он нужен. Кратко, понятно.

https://habr.com/ru/articles/935636/

#CORS #безопасность #cors_ошибки #собеседования

Amazon Cognitoを使った認証付きファイルアップロード機能の実装をやってみた
https://dev.classmethod.jp/articles/aws-cognito-user-id-pool-s3-upload-app/

#dev_classmethod #Amazon_Cognito #Amazon_S3 #CORS #AWS

https://dev.to/marsou001/what-are-preflight-requests-and-why-they-matter-3h5i - when you do #CORS, the pre-flight request is crucial. Thanks for the deep dive https://www.linkedin.com/in/marouane-souda.

I added two modules (Weather Forecast and Digital Clock) to my #ICandy #dashboard #browser #app today with the help of #Claude4 #Sonnet. As the project gets bigger, it is more difficult to work with Sonnet because of message size, conversation size and quota limits. But it is ok. I was chatting with #Microsoft #Copilot during my down time. Now I learned more about how #VoiceVox, #CORS, #MCP, and local #HTTP work. #AI #AIs are the best invention ever for people who are willing to learn.

I give up! I tried everything I could think of to put the embedded (in an #iframe) #vhx / #VimeoOTT video player in #fullscreen #programatically (without a click or keypress) in a #userscript via #FireMonkey and either the script is blocked by #CORS or the fullscreen request fails or nothing happens.
I have tried adding the script to the website (www.dropout.tv), to the iframe (embed.vhx.tv with @allFrames), using the player API or vanilla JavaScript, directly in the userscript or by appending a <script> element.
The furthest I got was running the focus() method of the iframe so I can press "f" without having to click on the player first.

I give up! I tried everything I could think of to put the embedded (in an #iframe) #vhx / #VimeoOTT video player in #fullscreen #programatically (without a click or keypress) in a #userscript via #FireMonkey and either the script is blocked by #CORS or the fullscreen request fails or nothing happens.
I have tried adding the script to the website (www.dropout.tv), to the iframe (embed.vhx.tv with @allFrames), using the player API or vanilla JavaScript, directly in the userscript or by appending a <script> element.
The furthest I got was running the focus() method of the iframe so I can press "f" without having to click on the player first.

I give up! I tried everything I could think of to put the embedded (in an #iframe) #vhx / #VimeoOTT video player in #fullscreen #programatically (without a click or keypress) in a #userscript via #FireMonkey and either the script is blocked by #CORS or the fullscreen request fails or nothing happens.
I have tried adding the script to the website (www.dropout.tv), to the iframe (embed.vhx.tv with @allFrames), using the player API or vanilla JavaScript, directly in the userscript or by appending a <script> element.
The furthest I got was running the focus() method of the iframe so I can press "f" without having to click on the player first.

I give up! I tried everything I could think of to put the embedded (in an #iframe) #vhx / #VimeoOTT video player in #fullscreen #programatically (without a click or keypress) in a #userscript via #FireMonkey and either the script is blocked by #CORS or the fullscreen request fails or nothing happens.
I have tried adding the script to the website (www.dropout.tv), to the iframe (embed.vhx.tv with @allFrames), using the player API or vanilla JavaScript, directly in the userscript or by appending a <script> element.
The furthest I got was running the focus() method of the iframe so I can press "f" without having to click on the player first.

[Unity 6] Unity Web（旧 WebGL）から自前 API に通信できるか？EC2 上の Express サーバーで通信検証してみた
https://dev.classmethod.jp/articles/unity6-web-api-ec2-cors-test/

#dev_classmethod #Unity #HTTP_API #Amazon_EC2 #Node_js #Express #CORS

CORS, CORP, COEP, COOP. Разбираемся с всеми CO* и смотрим на нюансы

В сети интернет достаточное количество информации на русском языке по поводу SOP и CORS, но введение в такие технологии как CORP, COEP и COOP показалось недостаточным (а кто-то может видит эти аббревиатуры в первый раз). Поэтому решил описать статью по знакомству с CO* политиками.

https://habr.com/ru/articles/893340/

#crossorigin #CORS #CORP #COEP #COOP #SOP

CORS, CORP, COEP, COOP. Разбираемся с всеми CO* и смотрим на нюансы

В сети интернет достаточное количество информации на русском языке по поводу SOP и CORS, но введение в такие технологии как CORP, COEP и COOP показалось недостаточным (а кто-то может видит эти аббревиатуры в первый раз). Поэтому решил описать статью по знакомству с CO* политиками.

https://habr.com/ru/articles/893340/

#crossorigin #CORS #CORP #COEP #COOP #SOP

Hey you security people! Your firewall is creating all these CORS errors in my browser console and making these SaaS sites behave poorly! Fix that crap!

Really? Reallllly???

#cors #web20isGoingWell #web20

Flutter: Создание расширения «Получение ссылок для онлайн-кинотеатров» для Chrome

Привет, я автора телеграм-канала FlutterPulse , хотел поделиться с пользователями хабра расширением для Google Chrome, а также способом его создания. Расширение создано для получения ссылок для программы yt-dlp для последующего скачивания файлов локально. Пока поддерживается только сайт телеканала Пятница friday.ru Для кого данная статья: Люди, которые не имеют отношения к программированию, но хотят скачать файл локально и самостоятельно Люди, которые хотят самостоятельно написать расширение для браузера на языке Flutter

https://habr.com/ru/articles/881836/

#flutter #chrome_extension #cors

🚨 Help Needed: #CORS and #Cloudflare Access Issues with #Nextflux + #MiniFlux Setup 🚨

Hi everyone! I’m struggling with a #SelfHosted setup and could really use some advice from the self-hosting community. Lol I've been trying to figure this out for hours with no luck. Here’s my situation:

Setup

• MiniFlux: Running in #Docker on a #RaspberryPi500 (#Stormux, based on #ArchLinuxARM).
• Nextflux: Hosted on Cloudflare Pages.
• Reverse Proxy: #Caddy (installed via AUR).
• Cloudflare Access: Enabled for security and SSO.
• Cloudflared: Also installed via AUR.
• CORS Settings in Cloudflare Access: Configured to allow all origins, methods, and headers.

What’s Working

• MiniFlux is accessible from my home network after removing restrictive CORS settings in both Caddy and MiniFlux.
• Nextflux is properly deployed on Cloudflare Pages.

The Problem

Nextflux cannot connect to MiniFlux due to persistent CORS errors and authentication issues with Cloudflare Access. Here are the errors I’m seeing in the browser console:

1. CORS Error:Access to fetch at 'https://rss.laniecarmelo.tech/v1/me' from origin 'https://nextflux.laniecarmelo.tech' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

2. Cloudflare Access Redirection:

   Request redirected to 'https://lifeofararebird.cloudflareaccess.com/cdn-cgi/access/login/rss.laniecarmelo.tech'.
   

3. Failed to Fetch:

   Failed to fetch: TypeError: Failed to fetch.
   

What I’ve Tried

1. Service Token Authentication:

   • Generated a service token in Cloudflare Access for Nextflux.
   • Added CF-Access-Client-Id and CF-Access-Client-Secret headers in Caddy for rss.laniecarmelo.tech.
   • Updated Cloudflare Access policies to include a bypass rule for this service token.

2. CORS Configuration:

   • Tried permissive settings (Access-Control-Allow-Origin: *) in both Caddy and MiniFlux.
   • Configured Cloudflare Access CORS settings to allow all origins, methods, and headers.

3. Policy Adjustments:

   • Created a bypass policy for my home IP range and public IP.
   • Added an "Allow" policy for authenticated users via email/login methods.

4. Debugging Logs:

   • Checked Cloudflared logs, which show requests being blocked due to missing access tokens (AccessJWTValidator errors).

Current State

Despite these efforts:

• Requests from Nextflux are still being blocked by Cloudflare Access or failing due to CORS issues.
• The browser console consistently shows "No 'Access-Control-Allow-Origin' header" errors.

Goals

1. Allow Nextflux (hosted on Cloudflare Pages) to connect seamlessly to MiniFlux (behind Cloudflare Access).
2. Maintain secure access to MiniFlux for other devices (e.g., my home network or mobile devices).

My Environment

• Raspberry Pi 500 running Arch Linux ARM.
• Both Caddy and Cloudflared are installed via AUR packages.
• MiniFlux is running in Docker with the following environment variables:CLOUDFLARE_SERVICE_AUTH_ENABLED=trueCLOUDFLARE_CLIENT_ID=<client-id>CLOUDFLARE_CLIENT_SECRET=<client-secret>

Relevant Logs

From cloudflared:

ERR error="request filtered by middleware handler (AccessJWTValidator) due to: no access token in request"

From the browser console:

Access to fetch at 'https://rss.laniecarmelo.tech/v1/me' has been blocked by CORS policy.

Questions

1. Is there a better way to configure CORS for this setup?
2. Should I be handling authentication differently between Nextflux and MiniFlux?
3. How can I ensure that requests from Nextflux include valid access tokens?

Any help or advice would be greatly appreciated! 🙏

#SelfHosting #Cloudflare #CaddyServer #Docker #RSS #CORS #Linux #ArchLinuxARM #CloudflarePages #tech #technology

Very happy to hold this session about #CORS at #ITDevCon European #Delphi Conference! 💘

Ciao a tutti! 🤗 Breve comunicazione per segnalare che stasera non ci sarà la live "abituale" dedicata al coding, poiché dovrò finire di preparare la sessione per *ITDevCon European Delphi Conference*, in cui parlerò di #CORS e sviluppo #Web.

Sarebbe bello fare una live #IRL durante l'evento, anche se problemi di connettività e limitazioni hardware non giocano a favore. 😅

Aspettatevi al più presto un reportage completo! 😎

Per chi ci sarà, ci vediamo a #ITDevCon! 💘
https://www.itdevcon.it/roma

🚨 CORS error blocking your Laravel API? 🚨

If your frontend and Laravel backend are on different domains, you’ve probably hit the dreaded CORS policy error.
Don’t let it break your app! Learn how to configure your Laravel application to allow cross-origin requests, and get your API running smoothly.

🔧 Fix it now: https://dev.to/robertobutti/resolve-blocked-by-cors-policy-no-access-control-allow-origin-in-laravel-kp1

#cors #php #laravel #headers #http #tutorial

I never liked CORS. It makes problems, and after years of fighting it, I'm still not sure what problem it tries to solve.

Now I have a new grudge against it: for my https://web.fledg.re decentralized project I wanted to add a "proxy" functionality: it allows the app running in the browser using another browser to make a GET request. Once you throw in a mixer, you have a simple anonymous surfing system.

But: CORS! Of course you cannot connect to any remote website from javascript in your browser. So my marvellous project doesn't work :(

#Decentralized #CORS #fledger #proxy #sad

[Перевод] CORS — это тупо

Технология CORS и действующее в браузерах правило ограничения домена – те вещи, которые часто понимаются превратно. Ниже я объясню, что они собой представляют, и почему пора перестать волноваться по их поводу. Замечание : я собираюсь рассказать о CORS и правиле ограничения домена как о единой сущности, поэтому далее часто буду употреблять эти термины как синонимы. Дело в том, что они, по сути – части одной системы, работают в сочетании друг с другом и помогают вам решать, что можно сделать с какими ресурсами смешанного происхождения. В принципе, если ваши запросы поступают из разных источников, то вам придётся иметь дело с правилами, политиками и механизмами CORS. Прежде всего, отмечу, что CORS — это огромный костыль, помогающий снизить влияние ошибок, передающихся с унаследованным кодом. В этой системе защита предоставляется как по принципу отказа от участия (opt-out) в попытке частично купировать XSRF-атаки против незащищённых или немодифицированных сайтов, так и по принципу активного участия (opt-in), чтобы на сайте включалась активная самозащита. Но ни одной из этих мер не достаточно, чтобы решить целенаправленно созданную проблему. Если на вашем сайте используются куки , то вы обязаны деятельно позаботиться о его безопасности. (Ладно, это касается не любого сайта, но лучше перестрахуйтесь. Выделите время на тщательный аудит вашего сайта или выполните описанные ниже простые шаги. Даже придерживаясь самых разумных паттернов, вы всё равно можете подставиться под XSRF-уязвимости).

https://habr.com/ru/articles/840498/

#cors #куки #межсайтовые_сценарии #обратная_совместимость #сайты

Локальный HTTPS в dev-окружении — простая настройка

Иногда в процессе веб-разработки требуется безопасное окружение в браузере, то есть HTTPS. Удобный способ сделать это — установить локальный УЦ и автоматизировать выдачу сертификатов на любые поддомены lcl.host и localhost. Это более функциональная и удобная альтернатива самоподписанным сертификатам . Для установки локального УЦ есть инструменты lcl.host и mkcert , которые помогают быстро настроить и использовать HTTPS в dev-окружении.

https://habr.com/ru/companies/globalsign/articles/817221/

#HTTPS #lclhost #mkcert #локальный_УЦ #самоподписанные_сертификаты #CORS #HTTP/2 #HTTP/3 #cookies #OAuth #Anchor #localhost

Локальный HTTPS в dev-окружении — простая настройка

Иногда в процессе веб-разработки требуется безопасное окружение в браузере, то есть HTTPS. Удобный способ сделать это — установить локальный УЦ и автоматизировать выдачу сертификатов на любые поддомены lcl.host и localhost. Это более функциональная и удобная альтернатива самоподписанным сертификатам . Для установки локального УЦ есть инструменты lcl.host и mkcert , которые помогают быстро настроить и использовать HTTPS в dev-окружении.

https://habr.com/ru/companies/globalsign/articles/817221/

#HTTPS #lclhost #mkcert #локальный_УЦ #самоподписанные_сертификаты #CORS #HTTP/2 #HTTP/3 #cookies #OAuth #Anchor #localhost

Локальный HTTPS в dev-окружении — простая настройка

Иногда в процессе веб-разработки требуется безопасное окружение в браузере, то есть HTTPS. Удобный способ сделать это — установить локальный УЦ и автоматизировать выдачу сертификатов на любые поддомены lcl.host и localhost. Это более функциональная и удобная альтернатива самоподписанным сертификатам . Для установки локального УЦ есть инструменты lcl.host и mkcert , которые помогают быстро настроить и использовать HTTPS в dev-окружении.

https://habr.com/ru/companies/globalsign/articles/817221/

#HTTPS #lclhost #mkcert #локальный_УЦ #самоподписанные_сертификаты #CORS #HTTP/2 #HTTP/3 #cookies #OAuth #Anchor #localhost

📬 AnimeDao.to hat illegales Streaming-Portal geschlossen
#Rechtssachen #Streaming #Szene #ACE #animedaoto #bunnycdnnru #CORS #CrossOriginResourceSharing #gogoanime #WatchLegally https://tarnkappe.info/artikel/rechtssachen/animedao-to-hat-illegales-streaming-portal-geschlossen-278901.html