What are the risks of enabling Cross-origin resource sharing (DISCOURSE_ENABLE_CORS)

(Anton) #1

So, there is a way to allow JS API requests from domains other than where you Discourse is hosted.

For example, you’d like to embed a topic list that is a result of search by some criteria - and you want to do it with JavaScript only, making it call your Discourse’s API.

For this to work, you’ll need to enable Cross-origin resource sharing:

For a multi-site setup, you can also use a per-instance setting:

(…see more here)

Now The Question

Are there ANY risks by enabling it?

Be it tiny, small, medium or large, may you elaborate please - which are the risks, drawbacks or other negative sides of enabling cross-origins for a particular domain.

(Sam Saffron) #2

See here:

Bottom line, it is a very bad idea to enable *

(Anton) #3

In general, is still bad for enabling a single domain only?

(Sam Saffron) #4

Allowing sites you do not control CORS access is a bad idea.

(Anton) #5

So, the only really safe way to query API from a different domain would be to allow JSONP: either by origin domain or by api_username/key, right?

If that’s correct, I’ve seen some discussion about JSONP in this topic - have it been considered for implementation eventually?