Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose HOSTED_VIEWER_ORIGINS as an option. #9929

Closed
burtonator opened this issue Jul 26, 2018 · 3 comments
Closed

Expose HOSTED_VIEWER_ORIGINS as an option. #9929

burtonator opened this issue Jul 26, 2018 · 3 comments
Labels
other

Comments

@burtonator
Copy link

Right now you restrict URLs to HOSTED_VIEWER_ORIGINS but there's now easy way to change these as it's a const.
@Snuffleupagus
Copy link
Collaborator

Please refer to #6916 for some background on this functionality.

Making this easily configurable could, as far as I can tell, basically make it possible to modify the HOSTED_VIEWER_ORIGINS list at runtime. Hence that would essentially render the security that this functionality provides useless, since a user could then (easily) modify it to bypass the restrictions set.

@timvandermeij
Copy link
Contributor

Closing since it does not look like there is anything we can do here that won't impact the functionality.

@mustafa0x
Copy link

@Snuffleupagus Isn't that a job best left for CORS?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
other
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@burtonator @mustafa0x @timvandermeij @Snuffleupagus