EPrints Technical Mailing List Archive
Message: #06786
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
[EP-tech] Question about CORS
- To: eprints-tech@ecs.soton.ac.uk
- Subject: [EP-tech] Question about CORS
- From: Christopher Gutteridge <cjg@ecs.soton.ac.uk>
- Date: Tue, 22 Aug 2017 14:58:36 +0100
Hi, a bit odd me asking a question but I'm a bit rusty.We've a request from a (non malicious) third party to allow CORS so they can have javascript that accesses /id/ and /cgi/export/ to do clever things.
If there's any way to alter the system via these URLs it's a cross-site-scripting no-no, and from reviewing the code I *think* that those URLs are always read-only.
I thought the REST interface was at /rest/ but it looks like there's another one implemented on /id/
https://github.com/eprints/eprints/blob/3.3/perl_lib/EPrints/Apache/REST.pm -- uses /rest/ https://github.com/eprints/eprints/blob/3.3/perl_lib/EPrints/Apache/CRUD.pm -- uses /id/
I suspect that means that it *is* too dangerous to allow cross site JS to connect to /id/ which is a pity, but security first, right?
-- Christopher Gutteridge -- http://users.ecs.soton.ac.uk/cjg University of Southampton Open Data Service: http://data.southampton.ac.uk/ You should read our Web & Data Innovation blog: http://blogs.ecs.soton.ac.uk/webteam/
- Prev by Date: Re: [EP-tech] Autocomplete on Search Forms
- Next by Date: Re: [EP-tech] Question about CORS
- Previous by thread: [EP-tech] Autocomplete on Search Forms
- Next by thread: Re: [EP-tech] Question about CORS
- Index(es):