mirror of https://github.com/tootsuite/mastodon
13e049d772
Right now, this includes three endpoints: host-meta, webfinger, and change-password. host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser. change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled. The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery. |
||
|---|---|---|
| .. | ||
| environments | ||
| initializers | ||
| locales | ||
| webpack | ||
| application.rb | ||
| boot.rb | ||
| brakeman.ignore | ||
| database.yml | ||
| deploy.rb | ||
| environment.rb | ||
| i18n-tasks.yml | ||
| navigation.rb | ||
| puma.rb | ||
| routes.rb | ||
| secrets.yml | ||
| settings.yml | ||
| sidekiq.yml | ||
| themes.yml | ||
| webpacker.yml | ||