diff options
| author | Christian Grothoff <christian@grothoff.org> | 2019-11-23 08:28:25 +0100 |
|---|---|---|
| committer | Christian Grothoff <christian@grothoff.org> | 2019-11-23 08:29:51 +0100 |
| commit | 67f186613b9fa96c54110ea4112f5ddf5f080161 (patch) | |
| tree | ad4e17194508d49f07011b84c54eea6587dea35a /core | |
| parent | 4dfbc46a0f854e883a030b9d2e9fbd7af865ba44 (diff) | |
| download | docs-67f186613b9fa96c54110ea4112f5ddf5f080161.tar.gz docs-67f186613b9fa96c54110ea4112f5ddf5f080161.tar.bz2 docs-67f186613b9fa96c54110ea4112f5ddf5f080161.zip | |
specify disable CORS
Diffstat (limited to 'core')
| -rw-r--r-- | core/api-sync.rst | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/core/api-sync.rst b/core/api-sync.rst index 8b8ce5e6..50cde653 100644 --- a/core/api-sync.rst +++ b/core/api-sync.rst @@ -405,3 +405,12 @@ $SYNC-PATH the (usually empty) path. By putting the private key after "#", we may succeed in disclosing the value even to eager Web-ish interpreters of URLs. Note that the actual synchronization service must use the HTTPS protocol, which means we can leave out this prefix. + + +--------------------------- +Web Security Considerations +--------------------------- + +To ensure that the Taler Web extension (and others) can access the +service despite Web "security", all service endpoints must set the +"Access-Control-Allow-Origin: *". |