Commit Graph

7 Commits (9b47c5d53c24cd5bd9ee84169f4f05bb81f3ed88)

Author SHA1 Message Date
Matt Jankowski 9a3d047f3e
Run `bin/rails app:update` with Rails 7.1 () 2023-10-25 13:56:09 +00:00
Wladimir Palant 23f8e93c64
Fixes - Allow cross origin request for /nodeinfo/2.0 API () 2023-10-16 13:39:25 +02:00
Matt Jankowski 56c0babc0b
Fix rubocop `Layout/ArgumentAlignment` cop () 2023-09-28 15:48:47 +02:00
Nick Schonning 1d557305d2
Enable Rubocop Style/FrozenStringLiteralComment () 2023-07-12 09:47:08 +02:00
ThibG 3f12c07ff5 Use same CORS policy for /@:username and /users/:username ()
Fixes 

rack-cors being called before the application router, it does not follow
the redirection, and we need a separate rule for /users/:username.
2018-12-10 21:39:47 +01:00
Ben Lubar 13e049d772 Allow cross-origin requests to /.well-known/* URLs. ()
Right now, this includes three endpoints: host-meta, webfinger, and change-password.

host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser.

change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled.

The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.
2018-10-25 03:13:35 +02:00
Yamagishi Kazutoshi 50529cbceb Upgrade Rails to version 5.2.0 () 2018-04-12 14:45:17 +02:00