| ▲ | cobolcomesback 3 hours ago |
| Not to mention utter nonsense. There’s no possible way that BW CLI somehow injected command history into a remote server. That was 100% something the GP did, a bug in their terminal, or a config they have with ssh/tmux, not Bitwarden. |
|
| ▲ | reactordev 3 hours ago | parent [-] |
| that's our future... with AI. Engineers that don't know the difference between client-side convenience and server-side injection, how to configure `php.ini`, or that no synchronized password manager is safe. While the OAuth scope is `*`, and CORS is what you drink on the weekend. |
| |
| ▲ | lxgr 23 minutes ago | parent | next [-] | | We've had all those well before AI. > no synchronized password manager is safe Care to elaborate? I'd agree that the security/availability tradeoff is different, but "not safe" is as nonsensical a blanket statement as "all/only offline/paper-based/... password managers are safe". | |
| ▲ | Sohcahtoa82 3 hours ago | parent | prev [-] | | Can someone explain why people struggle with CORS? The full strength of the SOP applies by default. CORS is an insecurity feature that relaxes the SOP. Unless you need to relax the SOP, you shouldn't be enabling CORS, meaning you shouldn't be sending an Access-Control-Allow-Origin header at all. If your front-end at www.example.com makes calls to api.example.com, then it's simple enough to just add www.example.com to CORS. |
|
