CORS issue on moodle mobile app

CORS issue on moodle mobile app

د Muhammad Omer Saleem لخوا -
د ځوابونو شمیر: 7

Hey

I am facing issue of CORS in moodle mobile app. I have implemented a default functionality in web and my mobile api is hitting to web to run that functionallity. I have inserted header in my WEB php file for allowing all origin.

header('Access-Control-Allow-Origin: *'); 

But this can be risky and vulnerable. Is there any way to reduce the risk.

I know that i can add url instead of * but how i can know the url of app?

Any help would be appreactiated.



د درجې بندۍ اوسط:  -
In reply to Muhammad Omer Saleem

Re: CORS issue on moodle mobile app

د Dani Palou لخوا -
د Core developers انځور د Moodle HQ انځور د Particularly helpful Moodlers انځور د Peer reviewers انځور د Plugin developers انځور
Hi,

the app uses the following URLs:

Android: http://localhost
iOS: moodleappfs://localhost

We usually recommend using '*' because it was the only way we found to make it work fine in the past. But that was when the app used the "file" protocol, maybe now it's possible. Please let us know if you manage to make it work without using '*'.

Cheers,
Dani
د درجې بندۍ اوسط:  -
In reply to Dani Palou

Re: CORS issue on moodle mobile app

د Muhammad Omer Saleem لخوا -
Thanks for your response.
But when i am running it without '*', I am having cors error.
Are you asking me to put http://localhost instead of '*'?
د درجې بندۍ اوسط:  -
In reply to Muhammad Omer Saleem

Re: CORS issue on moodle mobile app

د Dani Palou لخوا -
د Core developers انځور د Moodle HQ انځور د Particularly helpful Moodlers انځور د Peer reviewers انځور د Plugin developers انځور
You can try, but I don't know if it will work. I don't know how to make it work without '*', so I'm just giving you some info to see if you find a way موسکا

Cheers,
Dani
د درجې بندۍ اوسط:  -
In reply to Dani Palou

Re: CORS issue on moodle mobile app

د Muhammad Omer Saleem لخوا -
Thanks for your response,
Just a last question could you please let me know that allowing '*' in moodle web project can be risky or vulnerable?
د درجې بندۍ اوسط:  -
In reply to Muhammad Omer Saleem

Re: CORS issue on moodle mobile app

د Dani Palou لخوا -
د Core developers انځور د Moodle HQ انځور د Particularly helpful Moodlers انځور د Peer reviewers انځور د Plugin developers انځور
Hi,

currently there are several places in Moodle where '*' is already used: the WebServices layer, login/token.php, the upload files endpoint, etc.

Obviously, making things more limited is usually more secure, but IMO using '*' by itself doesn't have to be a huge risk. IMO it's far more important that you protect any private information requiring a user token or similar like Moodle does. Also, AFAIK there are a lot of public APIs using '*'.

Depending on what you're trying to achieve, maybe you prefer to create a new WebService to be called from your mobile API instead of a standalone script. That way the WebService will receive the user token and can decide which information to return based on the user.

Cheers,
Dani
د درجې بندۍ اوسط: Useful (1)