From 67f186613b9fa96c54110ea4112f5ddf5f080161 Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Sat, 23 Nov 2019 08:28:25 +0100
Subject: specify disable CORS

---
 core/api-sync.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'core/api-sync.rst')

diff --git a/core/api-sync.rst b/core/api-sync.rst
index 8b8ce5e6..50cde653 100644
--- a/core/api-sync.rst
+++ b/core/api-sync.rst
@@ -405,3 +405,12 @@ $SYNC-PATH the (usually empty) path.  By putting the private key after
 "#", we may succeed in disclosing the value even to eager Web-ish
 interpreters of URLs.  Note that the actual synchronization service
 must use the HTTPS protocol, which means we can leave out this prefix.
+
+
+---------------------------
+Web Security Considerations
+---------------------------
+
+To ensure that the Taler Web extension (and others) can access the
+service despite Web "security", all service endpoints must set the
+"Access-Control-Allow-Origin: *".
-- 
cgit v1.2.3