this post was submitted on 07 Jul 2023
1060 points (99.2% liked)

Lemmy.World Announcements

29044 readers
4 users here now

This Community is intended for posts about the Lemmy.world server by the admins.

Follow us for server news ๐Ÿ˜

Outages ๐Ÿ”ฅ

https://status.lemmy.world

For support with issues at Lemmy.world, go to the Lemmy.world Support community.

Support e-mail

Any support requests are best sent to [email protected] e-mail.

Report contact

Donations ๐Ÿ’—

If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.

If you can, please use / switch to Ko-Fi, it has the lowest fees for us

Ko-Fi (Donate)

Bunq (Donate)

Open Collective backers and sponsors

Patreon

Join the team

founded 1 year ago
MODERATORS
 

We've updated Lemmy.world to Lemmy 0.18.1.

For the release notes, see https://lemmy.world/post/1139237

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 31 points 1 year ago (1 children)

Hi! I noticed an issue with the headers sent by Lemmy.world.

Headers sent from and to this website's official UI look like this:

HTTP/1.1 200 OK
server: nginx/1.18.0 (Ubuntu)
date: Fri, 07 Jul 2023 23:35:17 GMT
content-type: application/json
vary: accept-encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
content-encoding: gzip
access-control-allow-origin: *
access-control-allow-methods: GET, POST, PUT, OPTIONS
access-control-allow-headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
access-control-expose-headers: content-encoding, content-type, vary, Content-Length,Content-Range
X-Firefox-Spdy: h2

Which is fine. However, headers received by custom clients look like this:

HTTP/2 200 OK
server: nginx/1.18.0 (Ubuntu)
date: Fri, 07 Jul 2023 23:33:50 GMT
content-type: application/json
vary: accept-encoding, Origin, Access-Control-Request-Method, Access-Control-Request-Headers
content-encoding: gzip
access-control-allow-origin: https://natoboram.github.io
access-control-expose-headers: content-encoding, access-control-allow-origin, content-type, vary
access-control-allow-origin: *
access-control-allow-methods: GET, POST, PUT, OPTIONS
access-control-allow-headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
access-control-expose-headers: Content-Length,Content-Range
X-Firefox-Spdy: h2

There's two access-control-allow-origin! This still breaks web clients.

[โ€“] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

At first I thought it was a Lemmy problem, but lemmy.ml doesn't have this problem. @[email protected] It's a lemmy.world problem indeed.

[โ€“] [email protected] 3 points 1 year ago

I'll check that. It's to do with the CORS settings that changed in recent Lemmy update