Uploaded image for project: 'Mojang Web Services'
  1. Mojang Web Services
  2. WEB-6403

Minecraft authentication CORS headers -- hear me out



    • Icon: Bug Bug
    • Resolution: Invalid
    • Icon: Normal Normal
    • API, Other
    • None


      Ok, so, when trying to implement authentication for a browser-based Minecraft port, Eaglercraft...there is always a biiiiig roadblock. That is the fact that CORS headers are not present on the server authentication API endpoints. This means that, well, authentication cannot work without a trusted CORS proxy. A CORS proxy that could, at any time, be taken over and log tokens. This would be a HUGE security flaw for players.

      I ask, and plead, that you add CORS headers to authentication endpoints so that users can complete a handshake with a server via the browser alone, and without relying on a CORS proxy just to get around the lack of CORS headers. This would make this so, so much more secure, and even make it (potentially) respect Minecraft's TOS when it comes to distributing, because the game can be blocked unless you have authenticated.


      This also has the added benefit of helping out VIAaaS which also is forced to rely on CORS proxies to authenticate with servers (which, again, is a HUGE security hole for malicious bad actors to come in and log tokens with a specially crafted CORS proxy (which is super easy to make, btw))


      Please, hear me out, discuss the idea, and at least try to give a thorough response as to why you can/cannot do this, it would be much appreciated. <3


      -ayunami2000, long-time Minecraft player who loves what you do with keeping the game alive




            Unassigned Unassigned
            ayunami2000 Samuel Williams
            0 Vote for this issue
            2 Start watching this issue