• Redjard@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      This is about cors headers on the api calls? That only don’t affect other apps because they are offline and ignore cors?

        • Redjard@lemmy.dbzer0.com
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Makes sense, never thought about that. An annoying situation, I wonder how many security issues would crop up if browsers allowed ignoring cors for pwas…

          Currently apicalls are proxied through the server but end up with the lient all the same, with the session being stored in local storage “credentials”?
          Will you currate a manual whitelist for direct calls or have the app test if direct fails and fall back to proxied?

          • Redjard@lemmy.dbzer0.com
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Why not add a new tier to pwas. You need to only use cookies scoped to your own domain, you get a new container without any existing session cookies etc. for other websites, but cors is dropped.
            That should prevent carelessly putting auth tokens into cookies and should replace cors in that sensitive sessions are containered away and all existing data for other websites that where slopily created somehow are isolated.

            After all for the way wefwef works for example I see no benefit to cors

    • iso@lemy.lol
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Hey is it dynamic or you have to add a list of instances to direct connect?

      Update: sorry, just saw your answer below 🤷‍♂️