Documented in docs/SECURITY.md, tracked here so it isn't lost: apps under /app/* are same-origin with /admin/*, so compromised app JS can issue authenticated POSTs to the admin (the Fetch-Metadata/Origin CSRF guard helps, but same-origin requests are the hard case). This makes the Disk-panel backstops (#871) mandatory.
Direction (low priority / deployment guidance)
- For not-fully-trusted apps, document/support serving the portal+admin on a separate host/origin from the app subdomain.
- Consider an option to mount
/app/* under a distinct origin.
Documented in
docs/SECURITY.md, tracked here so it isn't lost: apps under/app/*are same-origin with/admin/*, so compromised app JS can issue authenticated POSTs to the admin (the Fetch-Metadata/Origin CSRF guard helps, but same-origin requests are the hard case). This makes the Disk-panel backstops (#871) mandatory.Direction (low priority / deployment guidance)
/app/*under a distinct origin.