Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Expose HOSTED_VIEWER_ORIGINS as an option. #9929

Closed
burtonator opened this issue Jul 26, 2018 · 3 comments
Closed

Expose HOSTED_VIEWER_ORIGINS as an option. #9929

burtonator opened this issue Jul 26, 2018 · 3 comments
Labels
other

Comments

@burtonator
Copy link

Right now you restrict URLs to HOSTED_VIEWER_ORIGINS but there's now easy way to change these as it's a const.
@Snuffleupagus
Copy link
Collaborator

Please refer to #6916 for some background on this functionality.

Making this easily configurable could, as far as I can tell, basically make it possible to modify the HOSTED_VIEWER_ORIGINS list at runtime. Hence that would essentially render the security that this functionality provides useless, since a user could then (easily) modify it to bypass the restrictions set.

@timvandermeij
Copy link
Contributor

Closing since it does not look like there is anything we can do here that won't impact the functionality.

@mustafa0x
Copy link

@Snuffleupagus Isn't that a job best left for CORS?

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
other
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@burtonator @mustafa0x @timvandermeij @Snuffleupagus