Commit Graph

2 Commits (76aee4e177324850a08ff1890c3fd825d75a7c9e)

Author SHA1 Message Date
boojack 385fa22056 fix(cors): open API to any origin for token auth, keep cookies same-origin
Reflect any Origin so token-authenticated clients (Access Token V2 / PAT)
can call the API cross-origin, but emit Access-Control-Allow-Credentials
only for trusted origins (same host / configured InstanceURL). This keeps
the SameSite=Lax refresh cookie unreadable by untrusted (incl. same-site
subdomain) origins. Origin: null is not reflected.

Note for operators: cross-origin token access is now open by default; if
you front memos with a caching proxy, ensure it honors `Vary: Origin`.
4 weeks ago
boojack bb76949fc0 chore(server): centralize CORS policy 1 month ago