Hi Daniel,
On 01.04.2019 01:22, Daniel Kahn Gillmor wrote:
I don't know CORS well enough to know how to properly constrain such a
header, but if we do add guidance, i'd want to make sure it is narrowly
scoped so that an administrator deploying WKD doesn't accidentally open
up the rest of the site's data to external cross-origin requests.
If by "how to properly constrain" you mean configuration on the server
side then it looks something like that for nginx:
location /.well-known/openpgpkey {
add_header Access-Control-Allow-Origin '*' always;
}
or for Apache:
<Location "/.well-known/openpgpkey">
Header set Access-Control-Allow-Origin "*"
</Location>
I agree that it's a good idea to expose it as narrowly as possible,
though it doesn't give JavaScript code in the browser more power than
"curl". (I can discuss details in case anyone is interested).
Just in case a proof-of-concept is needed I wrote a simple decentralized
encrypt-then-email page that utilizes OpenPGP.js, CORS WKD and mailto
links: https://metacode.biz/sandbox/encrypt
Kind regards,
Wiktor
--
https://metacode.biz/@wiktor
signature.asc
Description: OpenPGP digital signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp