IndieAuth.com
IndieAuth.com copied to clipboard
403 Forbidden if origin header not included for JSON authorization_endpoint response
The following is a 403
curl 'https://indieauth.com/auth' -X POST -H 'accept: application/json' \
-H 'referer: https://endpointservices.static.observableusercontent.com/'
The following works
curl 'https://indieauth.com/auth' -X POST -H 'accept: application/json' \
-H 'referer: https://endpointservices.static.observableusercontent.com/' \
-H 'origin: https://endpointservices.static.observableusercontent.com'
Looks like it gets bounced at the nginx level.
Why am I sending a referer header but not an origin header? I am hosting code in a pupeteer instance and when you disable CORS thats how it sends requests (and I don't seem to be able to get rid of the referer header) https://observablehq.com/@endpointservices/serverless-cells
So Chrome B.S. of some sorts. It's not blocking me I can just use the form response instead.
Someone has had some weird interaction leading to 403 with sinatra before: https://serverfault.com/questions/690540/getting-403-forbidden-w-referer-on-nginxpassenger
Seems close to the symptoms though not exactly the same.
Pretty sure its this:
https://stackoverflow.com/questions/10509774/sinatra-and-rack-protection-setting