this post was submitted on 10 Jul 2023
773 points (98.9% liked)

Lemmy.World Announcements

29084 readers
197 users here now

This Community is intended for posts about the Lemmy.world server by the admins.

Follow us for server news ๐Ÿ˜

Outages ๐Ÿ”ฅ

https://status.lemmy.world/

For support with issues at Lemmy.world, go to the Lemmy.world Support community.

Support e-mail

Any support requests are best sent to info@lemmy.world e-mail.

Report contact

Donations ๐Ÿ’—

If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.

If you can, please use / switch to Ko-Fi, it has the lowest fees for us

Ko-Fi (Donate)

Bunq (Donate)

Open Collective backers and sponsors

Patreon

Join the team

founded 2 years ago
MODERATORS
 

We've installed Voyager and it's reachable at https://m.lemmy.world, you can browse Lemmy, and login there (also if your account isn't on lemmy.world)

PS Thanks go out to @stux@stux@geddit.social , he came up with the idea (see https://m.geddit.social).

you are viewing a single comment's thread
view the rest of the comments
[โ€“] Redjard@lemmy.dbzer0.com 1 points 1 year ago (2 children)

Makes sense, never thought about that. An annoying situation, I wonder how many security issues would crop up if browsers allowed ignoring cors for pwas...

Currently apicalls are proxied through the server but end up with the lient all the same, with the session being stored in local storage "credentials"?
Will you currate a manual whitelist for direct calls or have the app test if direct fails and fall back to proxied?

[โ€“] aeharding@lemmy.world 3 points 1 year ago

At this point it's manual. We could do some intelligent detection, but at the pace Lemmy dev is moving, I don't think it's worth it. The goal is to rip out the proxy completely once there's a bit more time for most servers to upgrade, and also https://github.com/LemmyNet/lemmy/issues/3567 is resolved.

[โ€“] Redjard@lemmy.dbzer0.com 1 points 1 year ago

Why not add a new tier to pwas. You need to only use cookies scoped to your own domain, you get a new container without any existing session cookies etc. for other websites, but cors is dropped.
That should prevent carelessly putting auth tokens into cookies and should replace cors in that sensitive sessions are containered away and all existing data for other websites that where slopily created somehow are isolated.

After all for the way wefwef works for example I see no benefit to cors