summaryrefslogtreecommitdiff
path: root/core/api-sync.rst
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2019-11-23 08:28:25 +0100
committerChristian Grothoff <christian@grothoff.org>2019-11-23 08:29:51 +0100
commit67f186613b9fa96c54110ea4112f5ddf5f080161 (patch)
treead4e17194508d49f07011b84c54eea6587dea35a /core/api-sync.rst
parent4dfbc46a0f854e883a030b9d2e9fbd7af865ba44 (diff)
downloaddocs-67f186613b9fa96c54110ea4112f5ddf5f080161.tar.gz
docs-67f186613b9fa96c54110ea4112f5ddf5f080161.tar.bz2
docs-67f186613b9fa96c54110ea4112f5ddf5f080161.zip
specify disable CORS
Diffstat (limited to 'core/api-sync.rst')
-rw-r--r--core/api-sync.rst9
1 files changed, 9 insertions, 0 deletions
diff --git a/core/api-sync.rst b/core/api-sync.rst
index 8b8ce5e..50cde65 100644
--- a/core/api-sync.rst
+++ b/core/api-sync.rst
@@ -405,3 +405,12 @@ $SYNC-PATH the (usually empty) path. By putting the private key after
"#", we may succeed in disclosing the value even to eager Web-ish
interpreters of URLs. Note that the actual synchronization service
must use the HTTPS protocol, which means we can leave out this prefix.
+
+
+---------------------------
+Web Security Considerations
+---------------------------
+
+To ensure that the Taler Web extension (and others) can access the
+service despite Web "security", all service endpoints must set the
+"Access-Control-Allow-Origin: *".