From f06dbf7a14a19ae95b7417cae4334d57c5a34572 Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <accounts@katherina.rocks>
Date: Mon, 6 Jan 2025 09:18:36 +0000
Subject: [PATCH] Draw attention to CORS requirements for WebFinger (#1581)

Adds a callout box mentioning that CORS headers must be set if WebFinger requests are being redirected to support a customised WEB_DOMAIN value.

This requirement is not called out in the text (only the nginx config example next to it), and is non-obvious enough that, anecdotally, many servers do not implement it properly.

See: https://github.com/mastodon/mastodon/issues/26995
---
 content/en/admin/config.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/content/en/admin/config.md b/content/en/admin/config.md
index 117a0606..a0099541 100644
--- a/content/en/admin/config.md
+++ b/content/en/admin/config.md
@@ -34,6 +34,10 @@ location /.well-known/webfinger {
 }
 ```
 
+{{< hint style="info" >}}
+You must serve the redirect with CORS headers; otherwise, some functions of Mastodon's web UI will not work. For example: `Access-Control-Allow-Origin: *`
+{{</ hint >}}
+
 #### `ALTERNATE_DOMAINS`
 
 If you have multiple domains pointed at your Mastodon server, this setting will allow Mastodon to recognize itself when users are addressed using those other domains. Separate the domains by commas, e.g. `foo.com,bar.com`