This repository has been archived on 2024-07-22. You can view files and clone it, but cannot push or open issues or pull requests.
mastodon/config/initializers
Ben Lubar 13e049d772 Allow cross-origin requests to /.well-known/* URLs. (#9083)
Right now, this includes three endpoints: host-meta, webfinger, and change-password.

host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser.

change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled.

The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.
2018-10-25 03:13:35 +02:00
..
0_post_deployment_migrations.rb Add post-deployment migration system (#8182) 2018-08-13 13:40:01 +02:00
1_hosts.rb Set Content-Security-Policy rules through RoR's config (#8957) 2018-10-11 20:35:46 +02:00
active_model_serializers.rb Disable AMS logging (#7623) 2018-05-26 01:08:31 +02:00
application_controller_renderer.rb
assets.rb HTML e-mails for UserMailer (#6256) 2018-01-16 03:29:11 +01:00
backtrace_silencers.rb
blacklists.rb Quick best practice cleanup of views/helpers (#1546) 2017-04-12 18:24:18 +02:00
chewy.rb Fix #6509: Use pull queue for chewy jobs (#6513) 2018-02-20 17:25:16 +01:00
content_security_policy.rb Add manifest_src to CSP, add blob to connect_src (#8967) 2018-10-12 19:07:30 +02:00
cookies_serializer.rb Upgrade to Rails 5.0.0.1 2016-08-17 17:58:00 +02:00
cors.rb Allow cross-origin requests to /.well-known/* URLs. (#9083) 2018-10-25 03:13:35 +02:00
devise.rb feat(cookies): Use the same-site attribute to lax (#8626) 2018-09-08 23:54:28 +02:00
doorkeeper.rb Add unread indicator to conversations (#9009) 2018-10-19 01:47:29 +02:00
fast_blank.rb fix can toot whitespace (#2218) 2017-04-22 19:48:55 +02:00
ffmpeg.rb add ffmpeg initializer (#8855) 2018-10-09 03:02:52 +02:00
filter_parameter_logging.rb Added optional two-factor authentication 2017-01-27 20:35:16 +01:00
http_client_proxy.rb lint pass 2 (#8878) 2018-10-04 17:38:04 +02:00
httplog.rb Version bumps for ruby and misc gems (#1159) 2017-04-10 22:47:41 +02:00
inflections.rb Add ActivityPub inbox (#4216) 2017-08-08 21:52:15 +02:00
instrumentation.rb Improve StatsD instrumentation 2017-01-26 19:08:05 +01:00
kaminari_config.rb adjust public profile pages 2 (#5223) 2017-10-04 22:49:36 +02:00
mime_types.rb Set correct content-type for ActivityPub JSON (#4592) 2017-08-14 04:16:43 +02:00
oj.rb Remove rabl dependency (#5894) 2017-12-06 15:04:49 +09:00
omniauth.rb lint pass 2 (#8878) 2018-10-04 17:38:04 +02:00
open_uri_redirection.rb rubocop issues - Cleaning up (#8912) 2018-10-08 04:50:11 +02:00
pagination.rb Pagination improvements (#1445) 2017-04-11 01:11:41 +02:00
paperclip.rb Rename S3_CLOUDFRONT_HOST to S3_ALIAS_HOST. (#8423) 2018-08-25 13:27:08 +02:00
premailer_rails.rb HTML e-mails for UserMailer (#6256) 2018-01-16 03:29:11 +01:00
rack_attack.rb lint pass 2 (#8878) 2018-10-04 17:38:04 +02:00
rack_attack_logging.rb Log rate limit hits (#7096) 2018-04-10 01:20:18 +02:00
redis.rb Set config.cache_store in environments file. (#3219) 2017-05-22 15:01:02 +02:00
session_activations.rb Revocable sessions (#3616) 2017-06-23 18:50:53 +02:00
session_store.rb feat(cookies): Use the same-site attribute to lax (#8626) 2018-09-08 23:54:28 +02:00
sidekiq.rb lint pass 2 (#8878) 2018-10-04 17:38:04 +02:00
simple_form.rb Redesign forms, verify link ownership with rel="me" (#8703) 2018-09-18 16:45:58 +02:00
single_user_mode.rb
statsd.rb Fix that Rails.cache information could not be sent via StatsD (#8831) 2018-09-30 00:05:59 +02:00
stoplight.rb Add a circuit breaker for ActivityPub deliveries (#7053) 2018-04-07 21:36:58 +02:00
strong_migrations.rb Fix migration failure due to StrongMigrations on production env (#5283) 2017-10-09 10:05:35 +02:00
suppress_csrf_warnings.rb Suppress CSRF token warnings (#6240) 2018-01-15 06:51:23 +01:00
trusted_proxies.rb Fix error 2017-01-22 23:07:31 +01:00
twitter_regex.rb Lint pass (#8876) 2018-10-04 12:36:53 +02:00
vapid.rb Lint pass (#8876) 2018-10-04 12:36:53 +02:00
wrap_parameters.rb