Page MenuHomeMiraheze

Possible to make the Access-Control-Allow-Origin header to be * by appending &ARBITRARY=.gif
Closed, ResolvedPublic

Description

fetch('https://meta.miraheze.org/wiki/Miraheze?action=raw') is blocked as expected, but appending &ARBITRARY=.gif makes it pass, for example:

fetch('https://meta.miraheze.org/wiki/Miraheze?action=raw&ARBITRARY=.gif')
  .then((res) => res.text())
  .then((res) => console.log(res))

succeed but shouldn't.

The related vcl code is: https://github.com/miraheze/puppet/blob/d79f1773/modules/varnish/templates/default.vcl#L406-L414

Event Timeline

Lens0021 updated the task description. (Show Details)
John added a subscriber: John.

Thank you for identify this problem, I have pushed a resolution but not fully tested it yet. I will verify the resolution before making this public

And css|js|json clearly doesn't seem to be for images; The use cases should be allowed.

You might not be complaining, but it’s a valid complaint. I have now prevented this, it was an oversight in my regex

I am now no longer able to reproduce this.

John changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 11 2022, 17:43
John changed the edit policy from "Custom Policy" to "All Users".