e621ng
e621ng copied to clipboard
e621ng
[CORS] Access control allow methods
By default CORS only allows POST, GET, HEAD, and OPTIONS. Some API endpoints use DELETE, such as unfavoriting posts. Currently, you cannot access these endpoints in web apps since CORS blocks the request.
This change would allow the default methods, plus DELETE and PUT to allow full endpoint access to web apps.
I'm not a security expert, but I know playing with CORS can lead to security vulnerabilities. From my analysis, POST, PUT, and DELETE require either a CSRF token, or an API token. Neither of these tokens are provided by cookies, which makes me believe this is a safe change to make.
Hmm, that does appear to work, but its a monkey patch solution that doesn't add any extra security. It would be nice if e621 properly followed CORS so developers don't have to know the right monkey patch tricks to use the API.
its a monkey patch solution
To be clear, without JS assistance, browsers only make GET, POST, and OPTIONS requests. The _method=XXX parameter is widely used across many web frameworks to change the method from POST to the one indicated.
I discussed CORS with Kira for #288 and my main takeaway from all that was that accessing the api from browsers on other domains directly is not desired since 3rd party UIs is not something we want. You can of course use it for other things as well but inadvertently these things are possible as a consequence. Then again with POST working you can do pretty much everything anyways and the few common things not working are just a bit of an annoyance.
Now, I knew that the _method param exists but haven't thought about in context of CORS before so this working comes as a bit of a surprise to me. I'm not sure how CORS is supposed to interact with this, it's not like you can restrict by query parameters. Since you can basically access any http verb by doing this right now and POST works as well I might just merge this and be done with it.
I will think about it more after my vacation is over.
