Does this mean that theoretically you could capture a user’s session token or credentials? Since they are passing through your proxy server and not directly going to a Lemmy instance for auth.
Edit: By the way, love the app. It is by far the best for browsing Lemmy. I love the Apollo feel to it.
Edit 2: I saw your comment on Github and I think the answer to my question is “yes, it is theoretically possible to steal the users session token.” I would also assume this security/privacy risk would exist for ALL Lemmy apps where you login.
To be clear, I am building a web client for Lemmy called wefwef. https://github.com/aeharding/wefwef/
Currently, I have to proxy all requests to an intermediary server I control. This is not just extra work, but has security and privacy ramifications.
So please, check out how Mastodon does it (you can inspect requests with Elk) and check out how it can directly connect to any Mastodon server, since they all allow CORS *.
TLDR I think it’s actually more secure to have CORS * for all Lemmy instances, because it allows 3rd party web clients to directly connect to a Lemmy instance.
Yes, wefwef is forced to proxy requests due to Lemmy restrictions.
I believe native apps don’t have CORS restrictions, so they can directly connect.
The good news is you can self host if that is a concern. And the even better news is the next version of Lemmy should allow CORS * which should allow web clients like wefwef to directly connect like native apps do, so this problem should eventually go away!
Does this mean that theoretically you could capture a user’s session token or credentials? Since they are passing through your proxy server and not directly going to a Lemmy instance for auth.
Edit: By the way, love the app. It is by far the best for browsing Lemmy. I love the Apollo feel to it.
Edit 2: I saw your comment on Github and I think the answer to my question is “yes, it is theoretically possible to steal the users session token.” I would also assume this security/privacy risk would exist for ALL Lemmy apps where you login.
Yes, wefwef is forced to proxy requests due to Lemmy restrictions.
I believe native apps don’t have CORS restrictions, so they can directly connect.
The good news is you can self host if that is a concern. And the even better news is the next version of Lemmy should allow CORS * which should allow web clients like wefwef to directly connect like native apps do, so this problem should eventually go away!