mastodon/config/initializers
Ben Lubar 13e049d772 Allow cross-origin requests to /.well-known/* URLs. (#9083)
Right now, this includes three endpoints: host-meta, webfinger, and change-password.

host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser.

change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled.

The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.
2018-10-25 03:13:35 +02:00
..
0_post_deployment_migrations.rb
1_hosts.rb
active_model_serializers.rb
application_controller_renderer.rb
assets.rb
backtrace_silencers.rb
blacklists.rb
chewy.rb
content_security_policy.rb
cookies_serializer.rb
cors.rb
devise.rb
doorkeeper.rb
fast_blank.rb
ffmpeg.rb
filter_parameter_logging.rb
http_client_proxy.rb
httplog.rb
inflections.rb
instrumentation.rb
kaminari_config.rb
mime_types.rb
oj.rb
omniauth.rb
open_uri_redirection.rb
pagination.rb
paperclip.rb
premailer_rails.rb
rack_attack.rb
rack_attack_logging.rb
redis.rb
session_activations.rb
session_store.rb
sidekiq.rb
simple_form.rb
single_user_mode.rb
statsd.rb
stoplight.rb
strong_migrations.rb
suppress_csrf_warnings.rb
trusted_proxies.rb
twitter_regex.rb
vapid.rb
wrap_parameters.rb