Nostr plugin have to add "Access-Control-Allow-Origin: *" header in nostr.json response

[Perlover]

Hello!

My last BTCPay version is BTCPay Server v1.9.1+d738f797e I noticed that the plugin Nostr generates a JSON object without HTTP header "Access-Control-Allow-Origin: *"

This header is very desirable, since most clients (exactly web clients) will not be able to get the content, because the cross policy prohibits them from doing so without this header. Adding content manually is difficult if BTCPay is deployed as a docker container. The most correct thing is for the plugin to generate this header on its own. Either nginx, but the latter is also part of the docker bundle.

[Perlover]

Just updated to new version of plugin: v1.0.11. There is same problem...

[Perlover]

see also here: https://github.com/nostr-protocol/nips/blob/master/05.md#allowing-access-from-javascript-apps

[Kukks]

This is incorrect. We DO generate an Access-Control-Allow-Origin header response (if an Origin request header is present).

~You are probably encountering an attempt to make a preflight request via an OPTIONS HTTP method, while we only allow a GET on this endpoint. Most likely, someone is trying to use the JS fetch function which does that additional, unnecessary request.~

Scratch that, this is still not an issue. I tested with fetch and it still worked await fetch("https://kukks.org/.well-known/nostr.json?name=kukks")

So I'm not sure what you're experiencing.

See: https://cors-test.codehappy.dev/?url=https%3A%2F%2Fkukks.org%2F.well-known%2Fnostr.json%3Fname%3Dkukks&origin=https%3A%2F%2Fcors-test.codehappy.dev%2F&method=get

[Perlover]

I'm sorry! That's right and CORS is working! I checked without specifying the Origin header in the request. As soon as I specify it, the server exposes the header. Thanks for the clarification! :)