Disabling CORS for urls that are not part of the REST API
Description
Enabling CORS allows for browsers and browser applications to use the REST API functions developed in the phoenix framework. This is at least required for the uqnu web app, but also helps for other uses.
Problems
Before enabling CORS, the security impact should be evaluated. It should be safe to enable for public resources at least, but there are some sources possibly telling otherwise. I think the security impact mostly comes from malicious sites coercing the browser into using credentials/login sessions for the framework without the user knowing.
Alternatives
Not enabling CORS means browsers will not allow other sites to access the phoenix framework REST API.
Want to take up?
Yes
Edited by Émilie Pagé-Perron