is it safe to be making calls directly to supabase from the client side via the js SDK? I think it's cool given that I'm using a public key and a JWT (in addition to RLS on tables) for each call. But I'm not sure how I feel about showing the location of supabase url

if your policies are set up correctly, no

Both the URL and anon key can be exposed in the front-end. The anon key will adhere to row-level security policies. Technically, someone could grab both of those things from the network tab of a browser and use them elsewhere, but if you have RLS policies that check

auth.uid()

in place, they won't be able to access the tables unless they've got an authed user. You've got a few options: - Accept it - Route requests through an API, which introduces more complexity as you have to proxy requests back to the front-end (including headers) If you were self-hosting, you could definitely setup CORS policies - I've not personally dug into that, but I know there's some in place in the self-hosted version, though I think it's just

*

/ all origins

Thanks @User

Thinking about it, CORS might even be limited to the site url in auth settings - not 100% sure on that, maybe one of the team can clarify

and what affect would that have if true? Only calls from the

Site URL

declared in settings would be permitted?

Assuming I'm correct, yeah, that would be the case. Looking through the source for the gotrue repo now to see if I can confirm

woof

I'd also be interested to hear the reasoning too. I've opened a thread - #871172819201953822, but it might be worth opening a github discussion on it if that doesn't get any replies

I’d say CORS is irrelevant for Supabase, security wise

That's a fair point, and I thought about it a little more after I woke up today. Security is just one aspect of it, albeit a very important one, and you're correct that a token would need to be obtained, which would be impossible due to the redirect URI in place. My consideration isn't really DoS since that's an entirely separate concern. Likewise, good RLS policies are essential in any PG environment so I'm not concerned about how those tie in with CORS. My concern is really for tables where you've got truly public data (e.g. pricing for products) that you might not want being displayed elsewhere than your website. If you've got a bunch of random websites feeding on data from your database, that's resources being dedicated to serving those queries which could be better used for serving legitimate queries from authorised sources. I guess I'd just like the option to be able to say 'only these websites can access the database via REST'. It won't stop a server-side environment, but it could certainly reduce the number of requests that shouldn't ever hit your database in the first place.

I usually hate the idea of making it easy for people to use my data directly, but in the end, it doesn’t matter