New base URL setup

Hi,

I’m trying to understand the new base URL setup in v3.6.3:
If I add https://domain-b.com to the url allow list in my https://domain-a.com's config,
will it automatically send a “Access-Control-Allow-Origin: https://domain-b.com” header when I make a fetch request from https://domain-b.com to a route of https://domain-a.com
or would I still have to set the header in the response by myself?

The URL allow list can only be set in the main config. It is meant as a security feature to tell Kirby which base URLs are accepted. It makes sure that an attacking request cannot trick Kirby into generating different URLs for assets for example. It’s not needed in most server environments, but adds an additional layer of security in reverse proxy setups for example.

It does not have anything to do with access control headers though. You still have to set them manually.

1 Like

Thanks for the explanation, Bastian!
I understand the purpose of this feature now =)