← Back to context

Comment by cobolcomesback

1 day ago

Not to mention utter nonsense. There’s no possible way that BW CLI somehow injected command history into a remote server. That was 100% something the GP did, a bug in their terminal, or a config they have with ssh/tmux, not Bitwarden.

8 comments

cobolcomesback

Reply
reactordev  1 day ago

that's our future... with AI. Engineers that don't know the difference between client-side convenience and server-side injection, how to configure `php.ini`, or that no synchronized password manager is safe. While the OAuth scope is `*`, and CORS is what you drink on the weekend.

  • Sohcahtoa82  21 hours ago

    Can someone explain why people struggle with CORS?

    The full strength of the SOP applies by default. CORS is an insecurity feature that relaxes the SOP. Unless you need to relax the SOP, you shouldn't be enabling CORS, meaning you shouldn't be sending an Access-Control-Allow-Origin header at all.

    If your front-end at www.example.com makes calls to api.example.com, then it's simple enough to just add www.example.com to CORS.

    • 12_throw_away  18 hours ago

      IME, CORS is pretty straightforward in prod but can be a huge pain in dev environments, so you end up with lots of little hacks to get your dev environments working (and then one of those hacks leaks back into prod and now you have CORS problems in prod).

      1 reply →

    • fragmede  17 hours ago

      That simple prod example isn't where people struggle with CORS. It's during development and I've got assets on Cloudflare and AWS and GCP and localhost:3000 and localhost:8000, and localhost:3001 and then a VM in Hetner at API.example.com because why not, that shit gets complicated and people get confused and lost. I mean, yeah, don't do that, but CORS gets complicated once the project gets enough teams involved.

      1 reply →

  • lxgr  19 hours ago

    We've had all those well before AI.

    > no synchronized password manager is safe

    Care to elaborate? I'd agree that the security/availability tradeoff is different, but "not safe" is as nonsensical a blanket statement as "all/only offline/paper-based/... password managers are safe".

renewiltord  17 hours ago

Probably terminal emulator is like iTerm2 and double click to select and copy to clipboard is feature.