1

I have a Rails app that uses ActiveStorage/S3 for managing attachments. Some of these attachments, which need to be downloaded and executed in my client, are .js files.

When I initially tried to download these assets I got an error related to CORS, which I fixed by adding a CORS configuration to my S3 bucket, as per this answer.

The configuration includes the line

<AllowedOrigin>*</AllowedOrigin>

This line makes me somewhat nervous. I want to keep the assets private. They're in a bucket with no public access, and users of my rails app must be authenticated in order to be redirected to them.

I'm unclear on what this line means exactly, in the context of a CORS configuration. Will it compromise the security of my attachments? Would naming a specific origin, rather than allowing all, make my attachments more secure?

dB'
  • 7,838
  • 15
  • 58
  • 101

1 Answers1

0

As I simple don't know your needs and limitations about sending .js files this way I recommend you to check out this thread.

Will it compromise the security of my attachments? Would naming a specific origin, rather than allowing all, make my attachments more secure?

I don't think so. Cross-Origin header is checked in web browsers (more info here), but it does not blocks calls from other services like Postman or cURL. So your application have to ensure the security of those .js files anyway. As said, the content is actually downloaded even though the web browser decides to not use it.

Viva Cristo Rei.

Community
  • 1
  • 1
Alan Borges
  • 46
  • 4