Open Conal-Tuohy opened 8 months ago
Trove's response to the following request contains a single access-control-allow-origin
header:
curl --verbose 'https://api.trove.nla.gov.au/v3/result?category=newspaper&n=0&encoding=json'
Trove's response to the following request contains two access-control-allow-origin
headers:
curl -H 'Origin: http://localhost' --verbose 'https://api.trove.nla.gov.au/v3/result?category=newspaper&n=0&encoding=json'
Libraries Australia reference: RSref165736
I've had no confirmation from NLA, but the bug appears to be fixed:
curl -s --verbose 'https://api.trove.nla.gov.au/v3/result?category=newspaper&n=0&encoding=json' 2>&1 \
| grep --ignore-case --fixed-strings "Access-Control-Allow-Origin:"
produces < access-control-allow-origin: *
Still seems to be broken?
curl H 'Origin: http://localhost' --verbose 'https://api.trove.nla.gov.au/v3/result?category=newspaper&n=0&encoding=json' 2>&1 | grep --ignore-case --fixed-strings "Access-Control-Allow-Origin:"
Produces:
< access-control-allow-origin: *
< access-control-allow-origin: *
You're absolutely right @wragge that this bug persists. My comment from Dec 20 was mistaken because I failed to send an Origin
header in that test. BTW your example did the same for me, until I realised that H
should have been -H
. I will chase it up with the NLA
If a request is made to the Trove API containing an "Origin" request header, then the response includes two
access-control-allow-origin
headers, both with the value*
. If a request is made without anOrigin
header, then a singleaccess-control-allow-origin
header is returned. However, requests to the API from a JS client in a browser will always have anOrigin
header, and because multiple Access-Control-Allow-Origin headers are not allowed, these requests will fail, making it impossible to call the Trove API from such a client, except by going through a proxy which can remove one of the supernumerary headers.This is a Trove server error.