search

Conal-Tuohy / TroveProxy

A transforming proxy and harvester for the National Library of Australia's Trove API
Apache License 2.0
1 stars 0 forks source link

Trove API invalidly returns two access-control-allow-origin headers #24

Open Conal-Tuohy opened 8 months ago

Conal-Tuohy commented 8 months ago

If a request is made to the Trove API containing an "Origin" request header, then the response includes two access-control-allow-origin headers, both with the value *. If a request is made without an Origin header, then a single access-control-allow-origin header is returned. However, requests to the API from a JS client in a browser will always have an Origin header, and because multiple Access-Control-Allow-Origin headers are not allowed, these requests will fail, making it impossible to call the Trove API from such a client, except by going through a proxy which can remove one of the supernumerary headers.

This is a Trove server error.

Conal-Tuohy commented 8 months ago

Trove's response to the following request contains a single access-control-allow-origin header:

curl --verbose  'https://api.trove.nla.gov.au/v3/result?category=newspaper&n=0&encoding=json'

Trove's response to the following request contains two access-control-allow-origin headers:

curl -H 'Origin: http://localhost' --verbose  'https://api.trove.nla.gov.au/v3/result?category=newspaper&n=0&encoding=json'
Conal-Tuohy commented 8 months ago

Libraries Australia reference: RSref165736

Conal-Tuohy commented 7 months ago

I've had no confirmation from NLA, but the bug appears to be fixed:

curl -s --verbose  'https://api.trove.nla.gov.au/v3/result?category=newspaper&n=0&encoding=json' 2>&1 \
| grep --ignore-case --fixed-strings "Access-Control-Allow-Origin:"

produces < access-control-allow-origin: *

wragge commented 3 months ago

Still seems to be broken?

curl H 'Origin: http://localhost' --verbose  'https://api.trove.nla.gov.au/v3/result?category=newspaper&n=0&encoding=json' 2>&1 | grep --ignore-case --fixed-strings "Access-Control-Allow-Origin:"

Produces:

< access-control-allow-origin: *
< access-control-allow-origin: *
Conal-Tuohy commented 3 months ago

You're absolutely right @wragge that this bug persists. My comment from Dec 20 was mistaken because I failed to send an Origin header in that test. BTW your example did the same for me, until I realised that H should have been -H. I will chase it up with the NLA