Action required

If you are an NSS server operator, please check that your settings use the default "corsProxy": false.
If you have a public facing server with "corsProxy": true, please change it to "corsProxy": false until the suggested fix below is deployed.

Fix

The CORS proxy needs to be changed as follows:

• If no Origin field present in the HTTP request, respond with a 400 or similar.
• If the Origin value in the request is not the server's configured domain (podhost.example) or a direct subdomain thereof (alice.podhost.example), respond with 400 or similar.
• If, after satistying the above two conditions, the response received from the downstream server does not indicate an RDF content type in its headers (such as Turtle, HTML, etc.), respond with 400.
  • In particular, images, videos, PDFs etc. must result in a 400.
  • The connection to the downstream server can and should be closed prematurely if the content type is not RDF.