summaryrefslogtreecommitdiff
path: root/core/api-sync.rst
diff options
context:
space:
mode:
Diffstat (limited to 'core/api-sync.rst')
-rw-r--r--core/api-sync.rst9
1 files changed, 9 insertions, 0 deletions
diff --git a/core/api-sync.rst b/core/api-sync.rst
index 8b8ce5e6..50cde653 100644
--- a/core/api-sync.rst
+++ b/core/api-sync.rst
@@ -405,3 +405,12 @@ $SYNC-PATH the (usually empty) path. By putting the private key after
"#", we may succeed in disclosing the value even to eager Web-ish
interpreters of URLs. Note that the actual synchronization service
must use the HTTPS protocol, which means we can leave out this prefix.
+
+
+---------------------------
+Web Security Considerations
+---------------------------
+
+To ensure that the Taler Web extension (and others) can access the
+service despite Web "security", all service endpoints must set the
+"Access-Control-Allow-Origin: *".