fix: set access-control-allow-credentials=true for auth.pl #7022
Conversation
cgi/auth.pl
Outdated
| # such has hunger.openfoodfacts.org that send a query to world.openfoodfacts.org/cgi/auth.pl | ||
| # can read the resulting response. | ||
|
|
||
| print header(-Access_Control_Allow_Credentials => "true"); |
There was a problem hiding this comment.
As we are sending the header from here, couldn't we first check for referer and limit this to:
defined env["HTTP_REFERER"] and env["HTTP_REFERER"] =~ /^(?:https?://)\w+$main_domain/
assuming $main_domain contains openfoodfacts.org/net/localhost
There was a problem hiding this comment.
Good idea, I added a change like this. The browser will send an Origin header.
|
ok, I imagine you will test before merging ? |
|
Kudos, SonarCloud Quality Gate passed!
|
|
@stephanegigandet is this ready to merge ? |
|
@alexgarel I was waiting for @alexfauquette to confirm it works as expected: #6462 |
* fix access-control-allow-origin header * allow only our subdomains * Origin header does not contain the path Co-authored-by: off <off@openfoodfacts.org>
* fix access-control-allow-origin header * allow only our subdomains * Origin header does not contain the path Co-authored-by: off <off@openfoodfacts.org>
* fix access-control-allow-origin header * allow only our subdomains * Origin header does not contain the path Co-authored-by: off <off@openfoodfacts.org>
* fix access-control-allow-origin header * allow only our subdomains * Origin header does not contain the path Co-authored-by: off <off@openfoodfacts.org>
Fix for #6462