CORS issue on moodle mobile app

CORS issue on moodle mobile app

Muhammad Omer Saleem -
Number of replies: 7

Hey

I am facing issue of CORS in moodle mobile app. I have implemented a default functionality in web and my mobile api is hitting to web to run that functionallity. I have inserted header in my WEB php file for allowing all origin.

header('Access-Control-Allow-Origin: *'); 

But this can be risky and vulnerable. Is there any way to reduce the risk.

I know that i can add url instead of * but how i can know the url of app?

Any help would be appreactiated.



Վարկանիշների միջին թիվը. -
In reply to Muhammad Omer Saleem

Re: CORS issue on moodle mobile app

Dani Palou -
Core developers Նկարը Moodle HQ Նկարը Particularly helpful Moodlers Նկարը Peer reviewers Նկարը Plugin developers Նկարը
Hi,

the app uses the following URLs:

Android: http://localhost
iOS: moodleappfs://localhost

We usually recommend using '*' because it was the only way we found to make it work fine in the past. But that was when the app used the "file" protocol, maybe now it's possible. Please let us know if you manage to make it work without using '*'.

Cheers,
Dani
Վարկանիշների միջին թիվը. -
In reply to Dani Palou

Re: CORS issue on moodle mobile app

Muhammad Omer Saleem -
Thanks for your response.
But when i am running it without '*', I am having cors error.
Are you asking me to put http://localhost instead of '*'?
Վարկանիշների միջին թիվը. -
In reply to Muhammad Omer Saleem

Re: CORS issue on moodle mobile app

Dani Palou -
Core developers Նկարը Moodle HQ Նկարը Particularly helpful Moodlers Նկարը Peer reviewers Նկարը Plugin developers Նկարը
You can try, but I don't know if it will work. I don't know how to make it work without '*', so I'm just giving you some info to see if you find a way ժպտում եմ

Cheers,
Dani
Վարկանիշների միջին թիվը. -
In reply to Dani Palou

Re: CORS issue on moodle mobile app

Muhammad Omer Saleem -
Thanks for your response,
Just a last question could you please let me know that allowing '*' in moodle web project can be risky or vulnerable?
Վարկանիշների միջին թիվը. -
In reply to Muhammad Omer Saleem

Re: CORS issue on moodle mobile app

Dani Palou -
Core developers Նկարը Moodle HQ Նկարը Particularly helpful Moodlers Նկարը Peer reviewers Նկարը Plugin developers Նկարը
Hi,

currently there are several places in Moodle where '*' is already used: the WebServices layer, login/token.php, the upload files endpoint, etc.

Obviously, making things more limited is usually more secure, but IMO using '*' by itself doesn't have to be a huge risk. IMO it's far more important that you protect any private information requiring a user token or similar like Moodle does. Also, AFAIK there are a lot of public APIs using '*'.

Depending on what you're trying to achieve, maybe you prefer to create a new WebService to be called from your mobile API instead of a standalone script. That way the WebService will receive the user token and can decide which information to return based on the user.

Cheers,
Dani
Վարկանիշների միջին թիվը.Useful (1)