Stupid question, but CORS is designed explicitly to defend against this type of side-surf attack.
Adding a strict cors policy should fix this, or am I missing something?
"no-cors" means the request will not be preflighted, but also that JS will be denied access to the body. But the body doesn't matter here — the attack only requires the request be sent.
But more to the point, so long as the request meets the requirements of a "simple request", CORS won't preflight it. GETs qualify as a simple request so long as no non-CORS-safelisted headers are sent; since the sent headers are attacker-controlled, we can just assume that to be the case. In a non-preflighted request, the CORS "yes, let JS do this" are just on the response headers of the actual request itself.
Since GETs are idempotent, the browser assumes it safe to make the request. CORS could/would be used to deny JS access to the response.
Things are this way b/c there are, essentially, a myriad of other ways to make the same request. E.g.,
<img src="https://gyrovague.com/?s=…">
in the document would, for all intents and purposes, emit the same request, and browsers can't ban such requests, or at least, such a ban would be huge breaking change in browsers.
Quick plug for https://pistepal.app/ - that's my own contribution to the space. Features location sharing and nav/directions, and priced lower than the competition yet with perhaps a richer / more focussed feature set. Interested to hear feedback and ideas!
Except that it got around 2.9K reviews by now, which is more then you have right now. Furthermore, we shouldn't further fragment the few open source review efforts we have.
Many OSM apps will also be reluctant to adopt a closed source solution that might be closed of any moment. And under what licenses will those reviews be? As MapComplete developer, I can not and will not be adopting a system based on Bluesky
The idea of fragmentation depends on a model of decentralization that still makes the platform inseparable from the data it works with. AT separates concerns so that the priorities of your data host and the priorities of your platform host can conflict without one being able to control the other even if you don't self-host. All the reviews are just an entry in your PDS, so it's all there for any new or existing platform.
Thousands of people have already set up their own PDSes and it's inevitable managed hosts will appear soon. Blacksky just started migrating people over to its own PDS. AT's credible exit is close to reality after about two years while all the promise of ActivityPub and predecessor protocols has yet to materialize after over 15 years.
It seems dead though...
reply