Setting it to * will prevent the browser from including credentials in the request (cookies). Dynamically setting it to the origin of the requesting client effectively does the same but also allows for using credentials.
- 0 Posts
- 3 Comments
Joined 2 年前
Cake day: 2023年7月1日
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
The
Access-Control-Allow-Originis meant to be set on the server side and is part of a mechanism called CORS. MDN has a good guide on CORS (It might seem too long and complex to read if you just want to access some data on an API, but knowing how it works is essential if you plan to work with HTTP-based APIs.)In short, lemmy.ml (and probably most other Lemmy instances) doesn’t seem to allow API access from within a browser. You’ll have to build a Node.js proxy (with lemmy-js-client) and use that to connect the browser to.
What are the exact attack vectors you’re thinking of?