Hi, I'm working on a Pull Request for Bodhi web interface to allow retrieving bugs information when we try to attach them to an update. This way we can do some checks on the bug we're trying to attach (is it private? is it a Fedora or Fedora EPEL bug?...) and provide some useful information in the update submission form. The problem is that the ajax request to Bugzilla fails, because BZ doesn't provide CORS headers. I've asked BZ guys [2] to add those headers, but I'm a bit confused about how CORS works and I would need some help from someone who may have a deeper knowledge on this. Does the BZ server need to provide the `Access-Control-Allow-Headers` header or the `Access-Control-Allow-Origin` header? Is it correct what I asked in the opened bug [3]? What type of security issue may arise with a wildcarded `Access-Control-Allow-Headers: *` header? As I understand CORS, it's not a server protection, rather a client protection. In fact, installing a browser extension like CorsE for Firefox easily bypass that "protection" and allows the script to run. Am I wrong? Thanks in advance for any help. Mattia [1] https://github.com/mattiaverga/bodhi/tree/manual_bugs [2] https://bugzilla.redhat.com/show_bug.cgi?id=1641232 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1641232#c6 _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
