[openstreetmap/openstreetmap-website] gpx/create API dosn't work any more since recent website update (#1609)

Tom Hughes notifications at github.com
Thu Aug 10 19:48:07 UTC 2017


So this is the result of change in the behaviour of `rack-cors` but that change is deliberate and is probably a good thing.

The previous behaviour was to default to sending `Access-Control-Allow-Credentials: true` which allows the client to send credentials with a CORS request and to also reflect the domain, which is required when allowing credentials as a wildcard domain is not valid in that case.

Now it won't allow you to set a wildcard domain and allow credentials and the default is only to allow credentials if the domains are restricted.

There is a way to go back to the old behaviour, but that behaviour is a potential security issue - we are allowing all domains because our data is generally public but not everything is and if we allow credentials then a malicious site could silently fetch (for example) your user details in the background if the browser knew your authentication details.

Note that this doesn't affect OAuth as the browser won't silently sign requests in the way it will silently pass on basic authentication and/or cookies.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/1609#issuecomment-321654658
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20170810/07e54760/attachment.html>


More information about the rails-dev mailing list