[openstreetmap/openstreetmap-website] Improve HTTPS security (#3108)

Nukeador notifications at github.com
Fri Feb 19 13:22:37 UTC 2021


Thanks for the reply Tom. Some additional thoughts:

- Is "somebody using loading a http resource" considered a risk? My understanding is that this is something that should be avoided, specially when allowing user-generated-content.
- Is the API loading from the base domain or using a different one? (where I assume external queries are desired)

[Mozilla InfoSec](https://infosec.mozilla.org/guidelines/web_security#cross-origin-resource-sharing)
> For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, only the API resources should return the Access-Control-Allow-Origin header. Failure to do so will allow foreign origins to read the contents of any page on your origin.

Thanks for your time.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/3108#issuecomment-782070715
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20210219/88abf739/attachment.htm>


More information about the rails-dev mailing list