When the Access-Control-Allow-Headers
is *
, the Authorization
header is not covered.
#1616
-
Howdy, I'm getting this warning in the Firefox console when doing cross origin requests:
Is there a way to get rid of it from the config xml, or should I report it as an issue or just wait for it to be fixed? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
This answer has more to do with security than the root issue you mentioned, but... If you are building an application that uses OME, I recommend not exposing the OME API to your end-users directly. Your application should provide its own API endpoint that filters results and only shows users what they are allowed to see based on permissions within the scope of your app. With uncontrolled access to the OME API users can potentially see or manipulate streams and other elements that they shouldn't be able to. Here is some code from my app back-end which looks at the possible endpoints and restricts them to users based on the amount of damage they might be able to do. The request is passed to a I hope this inspires you to build a robust and secure API for your app!
|
Beta Was this translation helpful? Give feedback.
I've tried with
and it worked just fine. As far as a proper solution, it would be up to the maintainers to choose it, I was just reporting the issue.
Feel free to change this discussion into an issue.