Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
social.tchncs.de is one of the many independent Mastodon servers you can use to participate in the fediverse.
A friendly server from Germany – which tends to attract techy people, but welcomes everybody. This is one of the oldest Mastodon instances.

Administered by:

Server stats:

3.8K
active users

social.tchncs.de: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#cors

0 posts0 participants0 posts today
Thor A. Hopland<p>Been using <a href="https://snabelen.no/tags/Vivaldi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vivaldi</span></a> lately, largely because the <a href="https://snabelen.no/tags/ZenBrowser" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ZenBrowser</span></a> has a problem with handling <a href="https://snabelen.no/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a> on <a href="https://snabelen.no/tags/Angular" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Angular</span></a> apps, like <a href="https://snabelen.no/tags/YouTube" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>YouTube</span></a>, meaning it fails to load videos. </p><p>The Zen team is ofc over taxed and has a lot of things to do, I've been told - even though that just sounds like another "only I can drive" problem that requires recruitment.</p><p>In any case, it functions as expected - being a <a href="https://snabelen.no/tags/Chrome" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Chrome</span></a> based browser - but it's proprietary nature is still dubious to me - as in it's privacy is questionable.</p>
Brandon H :csharp: :verified:<p>via <span class="h-card" translate="no"><a href="https://dotnet.social/@dotnet" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>dotnet</span></a></span> : .NET Aspire 9.1 is here with six great new dashboard features, and more!</p><p><a href="https://ift.tt/3niZ1yg" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">ift.tt/3niZ1yg</span><span class="invisible"></span></a><br><a href="https://hachyderm.io/tags/DotNetAspire" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DotNetAspire</span></a> <a href="https://hachyderm.io/tags/DotNet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DotNet</span></a> <a href="https://hachyderm.io/tags/Aspire91" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Aspire91</span></a> <a href="https://hachyderm.io/tags/DashboardFeatures" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DashboardFeatures</span></a> <a href="https://hachyderm.io/tags/DeveloperCommunity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DeveloperCommunity</span></a> <a href="https://hachyderm.io/tags/SoftwareDevelopment" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SoftwareDevelopment</span></a> <a href="https://hachyderm.io/tags/TechUpdates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TechUpdates</span></a> <a href="https://hachyderm.io/tags/Localization" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Localization</span></a> <a href="https://hachyderm.io/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a> <a href="https://hachyderm.io/tags/DockerIntegration" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DockerIntegration</span></a> <a href="https://hachyderm.io/tags/UXImpro" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>UXImpro</span></a>…</p>
maschmi<p>It is always funny how fast configuration mistakes happen. We do have a review process, we usually test things. But sometimes there are things you can only test for real on the live system. Something like <a href="https://mastodon.social/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a> rules. And if then stress comes along and one does not test it right away users will trip over it.</p><p>In this case we added a seemingly innocent '/' at the end of 'Allowed-Origins'. Do not to this. This will block access form all paths behind it... (And I learn it every time anew).</p>
Lanie Molinar Carmelo<p><strong>🚨 Help Needed: <a href="https://allovertheplace.ca/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a> and <a href="https://allovertheplace.ca/tags/Cloudflare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cloudflare</span></a> Access Issues with <a href="https://allovertheplace.ca/tags/Nextflux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Nextflux</span></a> + <a href="https://allovertheplace.ca/tags/MiniFlux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MiniFlux</span></a> Setup 🚨</strong></p><p>Hi everyone! I’m struggling with a <a href="https://allovertheplace.ca/tags/SelfHosted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SelfHosted</span></a> setup and could really use some advice from the self-hosting community. Lol I've been trying to figure this out for hours with no luck. Here’s my situation:</p><p><strong><strong>Setup</strong></strong></p><ul><li><strong>MiniFlux</strong>: Running in <a href="https://allovertheplace.ca/tags/Docker" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Docker</span></a> on a <a href="https://allovertheplace.ca/tags/RaspberryPi500" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RaspberryPi500</span></a> (<a href="https://allovertheplace.ca/tags/Stormux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Stormux</span></a>, based on <a href="https://allovertheplace.ca/tags/ArchLinuxARM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ArchLinuxARM</span></a>).</li><li><strong>Nextflux</strong>: Hosted on Cloudflare Pages.</li><li><strong>Reverse Proxy</strong>: <a href="https://allovertheplace.ca/tags/Caddy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Caddy</span></a> (installed via AUR).</li><li><strong>Cloudflare Access</strong>: Enabled for security and SSO.</li><li><strong>Cloudflared</strong>: Also installed via AUR.</li><li><strong>CORS Settings in Cloudflare Access</strong>: Configured to allow all origins, methods, and headers.</li></ul><p><strong><strong>What’s Working</strong></strong></p><ul><li>MiniFlux is accessible from my home network after removing restrictive CORS settings in both Caddy and MiniFlux.</li><li>Nextflux is properly deployed on Cloudflare Pages.</li></ul><p><strong><strong>The Problem</strong></strong></p><p>Nextflux cannot connect to MiniFlux due to persistent CORS errors and authentication issues with Cloudflare Access. Here are the errors I’m seeing in the browser console:</p><ol><li><strong>CORS Error</strong>:<code>Access to fetch at 'https://rss.laniecarmelo.tech/v1/me' from origin 'https://nextflux.laniecarmelo.tech' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.</code></li><li><p><strong>Cloudflare Access Redirection</strong>:</p><pre><code>Request redirected to 'https://lifeofararebird.cloudflareaccess.com/cdn-cgi/access/login/rss.laniecarmelo.tech'.<br></code></pre></li><li><p><strong>Failed to Fetch</strong>:</p><pre><code>Failed to fetch: TypeError: Failed to fetch.<br></code></pre></li></ol><p><strong><strong>What I’ve Tried</strong></strong></p><ol><li><p><strong>Service Token Authentication</strong>:</p><ul><li>Generated a service token in Cloudflare Access for Nextflux.</li><li>Added <code>CF-Access-Client-Id</code> and <code>CF-Access-Client-Secret</code> headers in Caddy for <code>rss.laniecarmelo.tech</code>.</li><li>Updated Cloudflare Access policies to include a bypass rule for this service token.</li></ul></li><li><p><strong>CORS Configuration</strong>:</p><ul><li>Tried permissive settings (<code>Access-Control-Allow-Origin: *</code>) in both Caddy and MiniFlux.</li><li>Configured Cloudflare Access CORS settings to allow all origins, methods, and headers.</li></ul></li><li><p><strong>Policy Adjustments</strong>:</p><ul><li>Created a bypass policy for my home IP range and public IP.</li><li>Added an "Allow" policy for authenticated users via email/login methods.</li></ul></li><li><p><strong>Debugging Logs</strong>:</p><ul><li>Checked Cloudflared logs, which show requests being blocked due to missing access tokens (<code>AccessJWTValidator</code> errors).</li></ul></li></ol><p><strong><strong>Current State</strong></strong></p><p>Despite these efforts:</p><ul><li>Requests from Nextflux are still being blocked by Cloudflare Access or failing due to CORS issues.</li><li>The browser console consistently shows "No 'Access-Control-Allow-Origin' header" errors.</li></ul><p><strong><strong>Goals</strong></strong></p><ol><li>Allow Nextflux (hosted on Cloudflare Pages) to connect seamlessly to MiniFlux (behind Cloudflare Access).</li><li>Maintain secure access to MiniFlux for other devices (e.g., my home network or mobile devices).</li></ol><p><strong><strong>My Environment</strong></strong></p><ul><li>Raspberry Pi 500 running Arch Linux ARM.</li><li>Both Caddy and Cloudflared are installed via AUR packages.</li><li>MiniFlux is running in Docker with the following environment variables:<code>CLOUDFLARE_SERVICE_AUTH_ENABLED=trueCLOUDFLARE_CLIENT_ID=&lt;client-id&gt;CLOUDFLARE_CLIENT_SECRET=&lt;client-secret&gt;</code></li></ul><p><strong><strong>Relevant Logs</strong></strong></p><p>From <code>cloudflared</code>:</p><pre><code>ERR error="request filtered by middleware handler (AccessJWTValidator) due to: no access token in request"<br></code></pre><p>From the browser console:</p><pre><code>Access to fetch at 'https://rss.laniecarmelo.tech/v1/me' has been blocked by CORS policy.<br></code></pre><p><strong><strong>Questions</strong></strong></p><ol><li>Is there a better way to configure CORS for this setup?</li><li>Should I be handling authentication differently between Nextflux and MiniFlux?</li><li>How can I ensure that requests from Nextflux include valid access tokens?</li></ol><p>Any help or advice would be greatly appreciated! 🙏</p><p><a href="https://allovertheplace.ca/tags/SelfHosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SelfHosting</span></a> <a href="https://allovertheplace.ca/tags/Cloudflare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cloudflare</span></a> <a href="https://allovertheplace.ca/tags/CaddyServer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CaddyServer</span></a> <a href="https://allovertheplace.ca/tags/Docker" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Docker</span></a> <a href="https://allovertheplace.ca/tags/RSS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RSS</span></a> <a href="https://allovertheplace.ca/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a> <a href="https://allovertheplace.ca/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Linux</span></a> <a href="https://allovertheplace.ca/tags/ArchLinuxARM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ArchLinuxARM</span></a> <a href="https://allovertheplace.ca/tags/CloudflarePages" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflarePages</span></a> <a href="https://allovertheplace.ca/tags/tech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>tech</span></a> <a href="https://allovertheplace.ca/tags/technology" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>technology</span></a></p>
Matthias Andrasch<p>Follow up: Official ddev.com article is updated ✅ <a href="https://ddev.com/blog/working-with-vite-in-ddev/" target="_blank" rel="nofollow noopener noreferrer" translate="no"><span class="invisible">https://</span><span class="ellipsis">ddev.com/blog/working-with-vit</span><span class="invisible">e-in-ddev/</span></a></p><p><a href="https://social.tchncs.de/tags/ddev" class="mention hashtag" rel="tag">#<span>ddev</span></a> <a href="https://social.tchncs.de/tags/vite" class="mention hashtag" rel="tag">#<span>vite</span></a> <a href="https://social.tchncs.de/tags/cors" class="mention hashtag" rel="tag">#<span>cors</span></a></p>
Aditya Telange<p>CORS</p><p><a href="https://mastodon.social/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a> <a href="https://mastodon.social/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://mastodon.social/tags/appsec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>appsec</span></a></p>
jub0bs<p>You need to configure <a href="https://infosec.exchange/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a> on a <a href="https://infosec.exchange/tags/golang" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>golang</span></a> server? Here are ten features that distinguish <a href="https://github.com/jub0bs/cors" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/jub0bs/cors</span><span class="invisible"></span></a> from other CORS middleware libraries:</p><p>1. a simple and coherent API<br>2. comprehensive documentation<br>3. extensive configuration validation<br>4. programmatic handling of configuration errors<br>5. safe-by-default middleware<br>6. a useful debug mode<br>7. on-the-fly, concurrency-safe middleware reconfigurability<br>8. strong performance guarantees<br>9. support for Private-Network Access<br>10. full compliance with the Fetch standard</p><p>Sponsors are welcome! <a href="https://github.com/sponsors/jub0bs" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/sponsors/jub0bs</span><span class="invisible"></span></a></p>
jub0bs<p>🎉 I've just released v0.5.0 of jub0bs/cors, my <a href="https://infosec.exchange/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a> middleware library for <a href="https://infosec.exchange/tags/golang" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>golang</span></a>!</p><p>🔍 You can now programmatically handle configuration errors. This feature will be useful to multi-tenant SaaS businesses that let their tenants configure CORS: custom error messages FTW!</p><p>😇 In addition, benign configuration infelicities are now gracefully handled internally rather than bubbled up.</p><p><a href="https://github.com/jub0bs/cors" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/jub0bs/cors</span><span class="invisible"></span></a></p>
AliveDevil<p>Ah yes, <a href="https://tauri.earth/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a>, fuck you too.</p><p><a href="https://tauri.earth/tags/Chrome" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Chrome</span></a> <a href="https://tauri.earth/tags/MicrosoftEdge" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MicrosoftEdge</span></a></p>
jub0bs<p>I keep beating that 🥁, but <a href="https://infosec.exchange/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a> is more complicated than meets the eye; unless you're intimately familiar with the Fetch standard, you likely shouldn't implement CORS "by hand". For <a href="https://infosec.exchange/tags/golang" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>golang</span></a>, consider relying instead on <a href="https://github.com/jub0bs/cors" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/jub0bs/cors</span><span class="invisible"></span></a>: easy to use (and hard to misuse!), performant, flexible. 😇</p>
Habr<p>[Перевод] Как я получил $5000 за Out-of-Scope XSS</p><p>Несколько месяцев назад я получил приглашение участвовать в частной программе bug bounty на платформе HackerOne. Сначала я провел свои обычные тесты и обнаружил различные уязвимости, такие как недостаток управления доступом (BAC), утечка авторизационных токенов других пользователей и т.д. После того как я сообщил об этих уязвимостях программе, я заметил, что XSS считается вне области покрытия согласно их политике. Бизнес программы заключался в том, чтобы предоставлять услуги по созданию систем управления контентом и конструкторов веб-сайтов. При создании аккаунта, пользователи получают уникальный поддомен вида &lt;YOUR-SUB&gt;.target.com, который они могут настраивать. Учитывая структуру приложения, XSS был ограничен возможностью воздействия только на собственный поддомен, и программа исключила XSS на &lt;YOUR-SUB&gt;.target.com из области покрытия. Это подтолкнуло меня к поиску уязвимости self-XSS и попытке связать ее с другой уязвимостью, чтобы показать более серьезные последствия. Мне удалось найти несколько цепочек XSS, которые увеличивали ее воздействие. Поскольку на данный момент только одна цепочка была подтверждена, я напишу отчет только о ней. Когда остальные отчеты будут решены, я планирую опубликовать отдельные материалы для каждой из них. Теперь давайте перейдем к самой истории. Найти self-XSS не заняло много времени.</p><p><a href="https://habr.com/ru/articles/853742/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">habr.com/ru/articles/853742/</span><span class="invisible"></span></a></p><p><a href="https://zhub.link/tags/bugbounty" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bugbounty</span></a> <a href="https://zhub.link/tags/bughunter" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bughunter</span></a> <a href="https://zhub.link/tags/xss" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>xss</span></a> <a href="https://zhub.link/tags/xss_%D1%83%D1%8F%D0%B7%D0%B2%D0%B8%D0%BC%D0%BE%D1%81%D1%82%D1%8C" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>xss_уязвимость</span></a> <a href="https://zhub.link/tags/cors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cors</span></a> <a href="https://zhub.link/tags/%D0%B8%D0%BD%D1%84%D0%BE%D1%80%D0%BC%D0%B0%D1%86%D0%B8%D0%BE%D0%BD%D0%BD%D0%B0%D1%8F_%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D1%8C" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>информационная_безопасность</span></a></p>
卡拉今天看了什麼<p>Web Scraping with your Web Browser: Why Not?</p><blockquote><a href="https://readhacker.news/s/6fwYd" rel="nofollow noopener noreferrer" target="_blank">Link</a></blockquote>📌<span> Summary: 本文探討在網頁瀏覽器中進行網頁爬蟲的可能性,否認了傳統上僅依賴Python和Beautiful Soup的做法。作者指出,雖然一些擴展工具聲稱能無需編碼進行爬蟲,但這僅限於簡單網站。從歷史上看,JavaScript的發展使其在網頁爬蟲的應用上進展緩慢。文章詳細介紹了如何處理CORS問題、代理伺服器的使用及簡單範例,並引導讀者以幾行代碼建立自己的爬蟲。最終,作者提到瀏覽器在檢索數據方面的優勢並提出繼續開發本地代理伺服器的建議。<br><br></span>🎯<span> Key Points: <br>- 網頁爬蟲普遍使用Python,JavaScript的應用較少。<br>- CORS(跨來源資源共享)對JavaScript的存取有影響,解決方案包括使用代理伺服器。<br>- 使用本地代理伺服器進行更複雜的爬蟲工作更為有效。<br>- 提供了一個簡單的爬蟲範例,可用瀏覽器直接運行。<br>- 強調無需繁瑣的第三方工具,即可在瀏覽器中實現網頁數據抓取。<br><br></span>🔖 Keywords: <a href="https://social.mikala.one/tags/網頁爬蟲" rel="nofollow noopener noreferrer" target="_blank">#網頁爬蟲</a> <a href="https://social.mikala.one/tags/JavaScript" rel="nofollow noopener noreferrer" target="_blank">#JavaScript</a> <a href="https://social.mikala.one/tags/CORS" rel="nofollow noopener noreferrer" target="_blank">#CORS</a> <a href="https://social.mikala.one/tags/代理伺服器" rel="nofollow noopener noreferrer" target="_blank">#代理伺服器</a> <a href="https://social.mikala.one/tags/數據擷取" rel="nofollow noopener noreferrer" target="_blank">#數據擷取</a><p></p>
Felix Palmen :freebsd: :c64:<p>Ok I guess I'll have to give up again quite quickly 😦 </p><p><a href="https://mastodon.bsd.cafe/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> <a href="https://mastodon.bsd.cafe/tags/Teams" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Teams</span></a> is broken for me as soon as I disable <a href="https://mastodon.bsd.cafe/tags/IPv4" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IPv4</span></a>. From what I could understand in this horrible mess of a "web app", the reason is probably some <a href="https://mastodon.bsd.cafe/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a> error. I have no idea how that could ever be related to <a href="https://mastodon.bsd.cafe/tags/IPv6" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IPv6</span></a> or <a href="https://mastodon.bsd.cafe/tags/NAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NAT</span></a> or anything. Tried temporarily disabling <a href="https://mastodon.bsd.cafe/tags/NAT64" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NAT64</span></a> (to force direct v6 connections), tried adding all of Microsofts v6 networks to the "exclude" option of bind9 to have everything pass <a href="https://mastodon.bsd.cafe/tags/NAT64" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NAT64</span></a> *avoiding* native IPv6, tried several ways to disable CORS, nothing helped. 🤬 </p><p>Anyone know about these issues with teams?</p><p>edit: to clarify, "everything" seems to work except for the main purpose: join an actual call ...</p>
Guilherme Dellagustin<p><span class="h-card" translate="no"><a href="https://podcastindex.social/@StevenB" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>StevenB</span></a></span> <span class="h-card" translate="no"><a href="https://xoxo.zone/@nathan" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>nathan</span></a></span> <span class="h-card" translate="no"><a href="https://podcastindex.social/@merryoscar" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>merryoscar</span></a></span> <span class="h-card" translate="no"><a href="https://podcastindex.social/@martin" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>martin</span></a></span> <span class="h-card" translate="no"><a href="https://podcastindex.social/@francosolerio" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>francosolerio</span></a></span> <span class="h-card" translate="no"><a href="https://podcastindex.social/@podcastguru" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>podcastguru</span></a></span> <span class="h-card" translate="no"><a href="https://podcastindex.social/@algrid" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>algrid</span></a></span> <span class="h-card" translate="no"><a href="https://podcastindex.social/@samsethi" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>samsethi</span></a></span> <span class="h-card" translate="no"><a href="https://podcastindex.social/@dave" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>dave</span></a></span> <span class="h-card" translate="no"><a href="https://podcastindex.social/@mitch" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>mitch</span></a></span> <span class="h-card" translate="no"><a href="https://podcastindex.social/@aegrumet" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>aegrumet</span></a></span> <span class="h-card" translate="no"><a href="https://podcastindex.social/@IceCubeSoup" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>IceCubeSoup</span></a></span> <span class="h-card" translate="no"><a href="https://podcastindex.social/@amugofjava" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>amugofjava</span></a></span> <span class="h-card" translate="no"><a href="https://podcastindex.social/@RyanHirsch" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>RyanHirsch</span></a></span> <br>I don't support it yet on <span class="h-card" translate="no"><a href="https://fosstodon.org/@podstation" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>podstation</span></a></span>, honestly, it is low priority for me, but I support the use-case of having different file sizes. This would save bandwidth and maybe also memory and cache storage. This is specially relevant for <a href="https://fosstodon.org/tags/PWA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PWA</span></a> s thar don't have a server side, as client side resize requires <a href="https://fosstodon.org/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a></p>
Habr<p>Как я обнаружил проблемы у ЮМани (Сбербанк) с безопасностью и не получил денег за найденную уязвимость</p><p>Как известно, в России почти каждая первая финансовая организация позиционирует себя как софтверную IT‑компанию, а не просто как «банк» или «платежная система». Сегодня речь пойдет о ЮМани — подразделении Сбера, IT‑гиганта всея руси. До того, как ЮМани стал тем, чем он сейчас является, сервис долгое время существовал как продукт Яндекса под названием Яндекс.Деньги — в те времена у меня был очень приятный опыт взаимодействия с техническим руководством компании, я неоднократно (будучи security researcher'ом) сообщал им об уязвимостях, а они, в свою очередь, оперативно это исправляли, давали обратную связь и вознаграждали за такую работу, аналогично тому, как это делали и зарубежные крупные IT‑компании в рамках взаимодействия с white‑hat хакерами. Такая вот IT‑компания здорового человека. Но с тем, как Сбербанк поглотил Яндекс.Деньги и провёл ребрендинг, проект стал превращаться, скорее, в IT‑компанию курильщика: взаимодействовать с представителями проекта в соц. сетях стало практически невозможно, какие‑либо данные на страницах о Bug Bounty программах были удалены и даже ни одного email‑адреса не оставили в качестве средства связи для сообщения об уязвимостях. Пару месяцев назад я обнаружил уязвимость в сервисе ЮМани (о ней чуть позже) и сразу же решил сообщить о ней. Однако никаких релевантных этому форм связи, email‑адресов и т. д. я не обнаружил — способов безопасно сообщить о такой уязвимости элементарно не было на официальном сайте сервиса. Я попытался связаться с людьми, работающими в ЮМани, однако, опять же, я не получил никакой обратной связи. На этом моменте я, что называется, «забил», в надежде, что ошибку исправят и без меня, ведь не может же такая дырень оставаться незамеченной долго, правда? Спойлер: может .</p><p><a href="https://habr.com/ru/articles/844224/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">habr.com/ru/articles/844224/</span><span class="invisible"></span></a></p><p><a href="https://zhub.link/tags/%D1%83%D1%8F%D0%B7%D0%B2%D0%B8%D0%BC%D0%BE%D1%81%D1%82%D1%8C" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>уязвимость</span></a> <a href="https://zhub.link/tags/%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D1%8C" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>безопасность</span></a> <a href="https://zhub.link/tags/%D1%81%D0%B1%D0%B5%D1%80" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>сбер</span></a> <a href="https://zhub.link/tags/%D1%81%D0%B1%D0%B5%D1%80%D0%B1%D0%B0%D0%BD%D0%BA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>сбербанк</span></a> <a href="https://zhub.link/tags/%D1%8E%D0%BC%D0%B0%D0%BD%D0%B8" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>юмани</span></a> <a href="https://zhub.link/tags/yoomoney" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>yoomoney</span></a> <a href="https://zhub.link/tags/%D1%8F%D0%BD%D0%B4%D0%B5%D0%BA%D1%81%D0%B4%D0%B5%D0%BD%D1%8C%D0%B3%D0%B8" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>яндексденьги</span></a> <a href="https://zhub.link/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a> <a href="https://zhub.link/tags/%D1%83%D1%82%D0%B5%D1%87%D0%BA%D0%B0" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>утечка</span></a></p>
Roberto B.<p>🚨 CORS error blocking your Laravel API? 🚨</p><p>If your frontend and Laravel backend are on different domains, you’ve probably hit the dreaded CORS policy error.<br>Don’t let it break your app! Learn how to configure your Laravel application to allow cross-origin requests, and get your API running smoothly.</p><p>🔧 Fix it now: <a href="https://dev.to/robertobutti/resolve-blocked-by-cors-policy-no-access-control-allow-origin-in-laravel-kp1" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dev.to/robertobutti/resolve-bl</span><span class="invisible">ocked-by-cors-policy-no-access-control-allow-origin-in-laravel-kp1</span></a></p><p><a href="https://phpc.social/tags/cors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cors</span></a> <a href="https://phpc.social/tags/php" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>php</span></a> <a href="https://phpc.social/tags/laravel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>laravel</span></a> <a href="https://phpc.social/tags/headers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>headers</span></a> <a href="https://phpc.social/tags/http" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>http</span></a> <a href="https://phpc.social/tags/tutorial" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>tutorial</span></a></p>
Habr<p>[Перевод] CORS — это тупо</p><p>Технология CORS и действующее в браузерах правило ограничения домена – те вещи, которые часто понимаются превратно. Ниже я объясню, что они собой представляют, и почему пора перестать волноваться по их поводу. Замечание : я собираюсь рассказать о CORS и правиле ограничения домена как о единой сущности, поэтому далее часто буду употреблять эти термины как синонимы. Дело в том, что они, по сути – части одной системы, работают в сочетании друг с другом и помогают вам решать, что можно сделать с какими ресурсами смешанного происхождения. В принципе, если ваши запросы поступают из разных источников, то вам придётся иметь дело с правилами, политиками и механизмами CORS. Прежде всего, отмечу, что CORS — это огромный костыль, помогающий снизить влияние ошибок, передающихся с унаследованным кодом. В этой системе защита предоставляется как по принципу отказа от участия (opt-out) в попытке частично купировать XSRF-атаки против незащищённых или немодифицированных сайтов, так и по принципу активного участия (opt-in), чтобы на сайте включалась активная самозащита. Но ни одной из этих мер не достаточно, чтобы решить целенаправленно созданную проблему. Если на вашем сайте используются куки , то вы обязаны деятельно позаботиться о его безопасности. (Ладно, это касается не любого сайта, но лучше перестрахуйтесь. Выделите время на тщательный аудит вашего сайта или выполните описанные ниже простые шаги. Даже придерживаясь самых разумных паттернов, вы всё равно можете подставиться под XSRF-уязвимости).</p><p><a href="https://habr.com/ru/articles/840498/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">habr.com/ru/articles/840498/</span><span class="invisible"></span></a></p><p><a href="https://zhub.link/tags/cors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cors</span></a> <a href="https://zhub.link/tags/%D0%BA%D1%83%D0%BA%D0%B8" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>куки</span></a> <a href="https://zhub.link/tags/%D0%BC%D0%B5%D0%B6%D1%81%D0%B0%D0%B9%D1%82%D0%BE%D0%B2%D1%8B%D0%B5_%D1%81%D1%86%D0%B5%D0%BD%D0%B0%D1%80%D0%B8%D0%B8" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>межсайтовые_сценарии</span></a> <a href="https://zhub.link/tags/%D0%BE%D0%B1%D1%80%D0%B0%D1%82%D0%BD%D0%B0%D1%8F_%D1%81%D0%BE%D0%B2%D0%BC%D0%B5%D1%81%D1%82%D0%B8%D0%BC%D0%BE%D1%81%D1%82%D1%8C" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>обратная_совместимость</span></a> <a href="https://zhub.link/tags/%D1%81%D0%B0%D0%B9%D1%82%D1%8B" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>сайты</span></a></p>
Parsingphase<p>Looks like I snuck in a <a href="https://m.phase.org/tags/lifer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>lifer</span></a> between the whales and dolphins.<br>Cory's Shearwater, 15 miles off Gloucester MA this morning.<br><a href="https://m.phase.org/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a> <a href="https://m.phase.org/tags/Birds" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Birds</span></a> <a href="https://m.phase.org/tags/CorysShearwater" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CorysShearwater</span></a></p>
jbz<p>🔓CORS is Stupid - Kevin Cox <br>— Kevin Cox</p><p>「 First and foremost CORS is a giant hack to mitigate legacy mistakes. It provides both opt-out protections as an attempt to mitigate XSS attacks against unaware or unmodified sites and opt-in protections for sites to actively protect themselves. But none of these protections are actually sufficient to solve the intended problem 」</p><p><a href="https://kevincox.ca/2024/08/24/cors/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">kevincox.ca/2024/08/24/cors/</span><span class="invisible"></span></a></p><p><a href="https://indieweb.social/tags/cors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cors</span></a> <a href="https://indieweb.social/tags/xss" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>xss</span></a> <a href="https://indieweb.social/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a></p>
kevincox<p>CORS is Stupid <a href="https://fosstodon.org/tags/Web" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Web</span></a> <a href="https://fosstodon.org/tags/CORS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CORS</span></a> <a href="https://fosstodon.org/tags/blog" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>blog</span></a> <a href="https://kevincox.ca/2024/08/24/cors/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">kevincox.ca/2024/08/24/cors/</span><span class="invisible"></span></a></p>
ExploreLive feeds
About