Conversation
Notices
-
Embed this notice
kaia (kaia@brotka.st)'s status on Friday, 16-Aug-2024 05:16:51 JST 
kaia
can someone explain CORS to me? let's take the example domain X dot com, X being a placeholder since nobody would be dumb enough to call their company that.
anyway, X dot com uses api.x[.]com for their API when I'm on that site and my browser blocks that. would that be okay according to CORS? why is it being blocked, it's the same domain?-
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Friday, 16-Aug-2024 05:20:00 JST 
Pissed Hippo
@kaia more or less you can't access content on another domain unless that other domain has a CORS header in the response that gives permission for a list, or every site to access it. kaia likes this. -
Embed this notice
Piggo :verified_horse: (piggo@piggo.space)'s status on Friday, 16-Aug-2024 05:20:24 JST 
Piggo :verified_horse:
@kaia this kinda bull is why web dev became so shitty over the last 10 years kaia likes this. -
Embed this notice
Dalek ☕🫰 (dalekcoffee@oshi.social)'s status on Friday, 16-Aug-2024 05:21:05 JST 
Dalek ☕🫰
@kaia@brotka.st since nobody would be dumb enough to call their company that. 💀
So my experience is a little limited but know this is an issue I ran into with sharkey but from what I understand it is a security feature on the browser level if the webserver/reverse proxy does explicitly not signify that subdomain as trusted
Even though my files are files.oshi.social and my instance is oshi.social it was failing a CORS origin request for my instance icon
The PROPER solution was to add the subdomain into my headers to authorize that subdomain
The lazy solution I went with was using my primary instance URL to proxy the image on the subdomain lol
I hope I am close enough to the correct answer here, but again still newkaia likes this. -
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Friday, 16-Aug-2024 05:21:20 JST
Pissed Hippo
@kaia api.x.com should have a header in it giving permission to x.com, or to "*". If it does not then it wouldn't work. kaia likes this. -
Embed this notice
kaia (kaia@brotka.st)'s status on Friday, 16-Aug-2024 05:21:48 JST
kaia
@sun I see, thank you! -
Embed this notice
kaia (kaia@brotka.st)'s status on Friday, 16-Aug-2024 05:22:10 JST
kaia
@dalekcoffee thanks, that correlates to what others added :comfy: -
Embed this notice
iced depresso (icedquinn@blob.cat)'s status on Friday, 16-Aug-2024 05:23:41 JST 
iced depresso
@sun @kaia it might stop being the same domain when the subdomain changes.
it's a very annoying system I'm not too sure how much it solves any problems but it has created a lot of themkaia likes this. -
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Friday, 16-Aug-2024 05:24:11 JST
Pissed Hippo
@icedquinn @kaia I think that a subdomain can access its parent domain without a special header but not vice versa. kaia likes this. -
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Friday, 16-Aug-2024 05:26:01 JST
Pissed Hippo
@dalekcoffee @kaia it might be okay but the reason it's on a separate subdomain is because, if a bug is found where some kind of user file is exploitable, it can't be used to steal cookies or control of your site because of CORS kaia likes this. -
Embed this notice
Piggo :verified_horse: (piggo@piggo.space)'s status on Friday, 16-Aug-2024 05:26:13 JST
Piggo :verified_horse:
@sun @icedquinn @kaia musky boy didnt send the right header for the options request ig kaia and Pissed Hippo like this.
-
Embed this notice
All GNU social JP content and data are available under the