mastodon/config/initializers
Ben Lubar 13e049d772 Allow cross-origin requests to /.well-known/* URLs. (#9083)
Right now, this includes three endpoints: host-meta, webfinger, and change-password.

host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser.

change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled.

The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.
2018-10-25 03:13:35 +02:00
..
0_post_deployment_migrations.rb Add post-deployment migration system (#8182) 2018-08-13 13:40:01 +02:00
1_hosts.rb Set Content-Security-Policy rules through RoR's config (#8957) 2018-10-11 20:35:46 +02:00
active_model_serializers.rb Disable AMS logging (#7623) 2018-05-26 01:08:31 +02:00
application_controller_renderer.rb
assets.rb
backtrace_silencers.rb
blacklists.rb
chewy.rb
content_security_policy.rb Add manifest_src to CSP, add blob to connect_src (#8967) 2018-10-12 19:07:30 +02:00
cookies_serializer.rb
cors.rb Allow cross-origin requests to /.well-known/* URLs. (#9083) 2018-10-25 03:13:35 +02:00
devise.rb feat(cookies): Use the same-site attribute to lax (#8626) 2018-09-08 23:54:28 +02:00
doorkeeper.rb Add unread indicator to conversations (#9009) 2018-10-19 01:47:29 +02:00
fast_blank.rb
ffmpeg.rb add ffmpeg initializer (#8855) 2018-10-09 03:02:52 +02:00
filter_parameter_logging.rb
http_client_proxy.rb lint pass 2 (#8878) 2018-10-04 17:38:04 +02:00
httplog.rb
inflections.rb
instrumentation.rb
kaminari_config.rb
mime_types.rb
oj.rb
omniauth.rb lint pass 2 (#8878) 2018-10-04 17:38:04 +02:00
open_uri_redirection.rb rubocop issues - Cleaning up (#8912) 2018-10-08 04:50:11 +02:00
pagination.rb
paperclip.rb Rename S3_CLOUDFRONT_HOST to S3_ALIAS_HOST. (#8423) 2018-08-25 13:27:08 +02:00
premailer_rails.rb
rack_attack.rb lint pass 2 (#8878) 2018-10-04 17:38:04 +02:00
rack_attack_logging.rb Log rate limit hits (#7096) 2018-04-10 01:20:18 +02:00
redis.rb
session_activations.rb
session_store.rb feat(cookies): Use the same-site attribute to lax (#8626) 2018-09-08 23:54:28 +02:00
sidekiq.rb lint pass 2 (#8878) 2018-10-04 17:38:04 +02:00
simple_form.rb Redesign forms, verify link ownership with rel="me" (#8703) 2018-09-18 16:45:58 +02:00
single_user_mode.rb
statsd.rb Fix that Rails.cache information could not be sent via StatsD (#8831) 2018-09-30 00:05:59 +02:00
stoplight.rb Add a circuit breaker for ActivityPub deliveries (#7053) 2018-04-07 21:36:58 +02:00
strong_migrations.rb
suppress_csrf_warnings.rb
trusted_proxies.rb
twitter_regex.rb Lint pass (#8876) 2018-10-04 12:36:53 +02:00
vapid.rb Lint pass (#8876) 2018-10-04 12:36:53 +02:00
wrap_parameters.rb