View Revisions: Issue #5802

Summary 0005802: REST service should have some advanced CORS logic
Revision 2019-07-11 16:51 by schanzen
Description Currently, the REST server allows to be configured in a way that it echoes the Origin of an HTTP request in the CORS reponse.
This is a security issue as any website is now able to call the GNUnet REST API from the browser.

We should find a way to only allow special browsers and domains to be able to call the REST API and/or leverage the CORS enforcement of the browser.

Intentially blocking for 0.11.6
Revision 2019-07-11 16:50 by schanzen
Description Currently, the REST server allows to be configured in a way that it echoes the Origin of an HTTP request in the CORS reponse.
This is a security issue as any website is now able to call the GNUnet REST API from the browser.

We should find a way to only allow special browsers and domains to be able to call the REST API and/or leverage the CORS enforcement of the browser.