[openstreetmap/openstreetmap-website] Improve HTTPS security (#3108)

Nukeador notifications at github.com
Fri Feb 19 13:22:37 UTC 2021

Thanks for the reply Tom. Some additional thoughts:

- Is "somebody using loading a http resource" considered a risk? My understanding is that this is something that should be avoided, specially when allowing user-generated-content.
- Is the API loading from the base domain or using a different one? (where I assume external queries are desired)

[Mozilla InfoSec](https://infosec.mozilla.org/guidelines/web_security#cross-origin-resource-sharing)
> For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, only the API resources should return the Access-Control-Allow-Origin header. Failure to do so will allow foreign origins to read the contents of any page on your origin.

Thanks for your time.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20210219/88abf739/attachment.htm>

More information about the rails-dev mailing list