commit 67f186613b9fa96c54110ea4112f5ddf5f080161 parent 4dfbc46a0f854e883a030b9d2e9fbd7af865ba44 Author: Christian Grothoff <christian@grothoff.org> Date: Sat, 23 Nov 2019 08:28:25 +0100 specify disable CORS Diffstat:
| M | core/api-sync.rst | | | 9 | +++++++++ |
1 file changed, 9 insertions(+), 0 deletions(-)
diff --git a/core/api-sync.rst b/core/api-sync.rst @@ -405,3 +405,12 @@ $SYNC-PATH the (usually empty) path. By putting the private key after "#", we may succeed in disclosing the value even to eager Web-ish interpreters of URLs. Note that the actual synchronization service must use the HTTPS protocol, which means we can leave out this prefix. + + +--------------------------- +Web Security Considerations +--------------------------- + +To ensure that the Taler Web extension (and others) can access the +service despite Web "security", all service endpoints must set the +"Access-Control-Allow-Origin: *".