You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Access-Control-Allow-Origin: * is maybe a bad idea for the status-page-api, since other websites could derive the geo-location of the wifi client from the status page by accessing the api via ajax.
Very true. I see two possible solutions without totally breaking the status page:
We do not send the header at all when the API is called via a "generic" (next_node) address. This makes it impossible to gather information without knowing the address of the node a user is connected to in advance. However, much more logic has to be implemented server-side (we currently simply ignore the Host header AFAIK).
We only send Access-Control-Allow-Origin: $site.next_node.name$. This will only display neighbour data if the status page is originally called via the next_node address (even if you then navigate away from your next node).
While this will need some transition time, we should simply change the status page to actually link to other nodes' status pages instead of only changing the backend URL when another node is selected, thus avoiding the whole issue.
We could still provide a single Access-Control-Allow-Origin: * endpoint just returning an empty page that can be used to check reachablity (and select a neighbour node's address based on this, like it is already done for the backend URL at the moment).
Access-Control-Allow-Origin: *
is maybe a bad idea for the status-page-api, since other websites could derive the geo-location of the wifi client from the status page by accessing the api via ajax.For reference: similar issue in the wifi of DB
The text was updated successfully, but these errors were encountered: