please stop fucking "Access-Control-Allow-Origin: *"

I wish DevRant would do it on all endpoint doe

@example-user
I'd prefer OAuth and support for apps/integration.

@SortOfTested nah that Cors thing is just a one liner and I could have needed it by last month

But yeah, could be done better

@example-user
Turning it off would leave it open to random attacks from script kiddies. Better safe than bloating dfox's bill to the point he shuts the service down. 🤣

@SortOfTested It is also a security risk to keep it cross-origin, Any website will be able to make authorised request on behalf of Currently logged in user.

@theabbie
You realize I'm arguing against *, right?

@SortOfTested I know that, I am supporting your argument by adding reasons why it shouldn't be done

@theabbie
Just making sure, it sounded like you thought I was advocating it 😋

Yeah, * only works if you deliberately avoid cookies and either also avoid standard HTTP auth or trust everyone using the api on client side not to utilize browser-provided auth tools.

I'm personally all for JWTs and ditching Cookies as they're effectively a way to give HTTP opaque state, but Devrant doesn't work that way.

@Lor-inc we'll need to see what comes of it when they finally move every API to Pipeless (see latest news from dfox).

I wasn't aiming at DR for those wondering.

I so often when I look on "how to allow CORS requests" I see people saying: "just set it to '*'" and I instantly start getting the tendency to become a serial killer.

Serialized killer? w8wat

@FinlayDaG33k Is there any problem with the header if you bypass the browser's efforts to break your security by authorizing all requests?