Hello, I have a problem with CORS and I think this is right community to get help.
When I use this code:
import { LemmyHttp } from 'lemmy-js-client';
const client = new LemmyHttp('https://lemmy.ml');
const { posts } = await client.getPosts({
limit: 10,
page: 1
});
to get posts from lemmy.ml (using lemmy-js-client), I get:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://lemmy.ml/api/v3/post/list?limit=10&page=1. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 400.
I have tried to add header like this:
const client = new LemmyHttp('https://lemmy.ml', {
headers: {
'Access-Control-Allow-Origin': '*'
}
});
but result is the same.
Can someone help me with this?
Well I’m not expert on CORS, nor with the Lemmy API, so it’s probably better to read about CORS exploits in more detailed articles… https://www.freecodecamp.org/news/exploiting-cors-guide-to-pentesting/ for example
It seems Lemmy is storing a JWT in the cookiejar, so with
Access-Control-Allow-Credentials:true
and the domain inAccess-Control-Allow-Origin
a site should be able to do authenticated get requests on a users behave with the JWT, and access personal data.The “GET https://programming.dev/api/v3/private_message/” endpoint for example, would let someone read the private messages someone has send/received
I’m not sure whether someone could do POST requests and add credentials from the cookiejar this way though