Investigate CORS / authorization for anonymous requests #268

hburn7 · 2024-04-16T15:42:28Z

Filtering of anonymous requests

We need to identify the proper way for anonymous requests to be made specifically from the website. We desire a result of [AllowAnonymous] for any unauthorized website visitor. We do NOT want to allow requests from any program / client from the open internet for these calls.

Possible solutions

Specific authorization policy that relies on a private header value
Use CORS in some way to restrict which requests make it through. This is preferable as we already have a CORS policy, but we'll still have to get past the authorization middleware.

The text was updated successfully, but these errors were encountered:

hburn7 · 2024-12-11T22:40:44Z

Do we need to keep this open?

myssto · 2024-12-12T00:12:25Z

Do we need to keep this open?

Not sure... I think maybe it could be transferred to something in the post-beta release project. Simply put, since this is a public API, CORS is not a big concern. However in the future I would like to harden CORS on any non-client endpoints to only accept requests from web.

hburn7 added the priority:1 label Apr 16, 2024

myssto added this to o!TR Beta Release Apr 27, 2024

myssto moved this to In Progress in o!TR Beta Release Apr 27, 2024

hburn7 assigned myssto May 10, 2024

hburn7 removed the priority:1 label May 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Investigate CORS / authorization for anonymous requests #268

Investigate CORS / authorization for anonymous requests #268

hburn7 commented Apr 16, 2024

hburn7 commented Dec 11, 2024

myssto commented Dec 12, 2024

Investigate CORS / authorization for anonymous requests #268

Investigate CORS / authorization for anonymous requests #268

Comments

hburn7 commented Apr 16, 2024

Filtering of anonymous requests

Possible solutions

hburn7 commented Dec 11, 2024

myssto commented Dec 12, 2024