Page MenuHomeMiraheze

Possible to make the Access-Control-Allow-Origin header to be * by appending &ARBITRARY=.gif
Closed, ResolvedPublic


fetch('') is blocked as expected, but appending &ARBITRARY=.gif makes it pass, for example:

  .then((res) => res.text())
  .then((res) => console.log(res))

succeed but shouldn't.

The related vcl code is:

Event Timeline

Lens0021 updated the task description. (Show Details)
John added a subscriber: John.

Thank you for identify this problem, I have pushed a resolution but not fully tested it yet. I will verify the resolution before making this public

And css|js|json clearly doesn't seem to be for images; The use cases should be allowed.

You might not be complaining, but it’s a valid complaint. I have now prevented this, it was an oversight in my regex

I am now no longer able to reproduce this.

John changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 11 2022, 17:43
John changed the edit policy from "Custom Policy" to "All Users".