Il 10/30/18 7:13 PM, Tom Hughes ha scritto: > > No it protects against unintended exfiltration of data from > the server - without it a random web page could have javascript > that did a background XHR to a web site that required authentication > and just wait until somebody happens to visit that page who happens > to have a valid session cookie for the target site. > > So allowing CORS access to resources that don't require authentication > is not normally a problem but allowing it to resources that do require > some sort of authentication requires that you trust the domain you are > allowing the access to. So, for example, it is acceptable that https://apps.fedoraproject.org/packages/ sends a `access-control-allow-origin: *` header because it doesn't require authentication, while BZ must use something more granular, doesn't it? > > So for BZ I guess the issue will be figuring out if any of the bugs > you are getting information on are restricted in any way? or maybe > that's fine if the bodhi user has access to those bugs and the domain > can just be validated to restrict it to bodhi? > From what I see, if a bug is somehow restricted (like private bugs) BZ will manage that with an error response in the json reply. For example: https://bugzilla.redhat.com/jsonrpc.cgi?method=Bug.get¶ms=[{%22ids%22:1641325}] returns me a "You are not authorized to access" even if in the same browser session I'm logged in in BZ and I can see the bug content in the html view. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
