search

Scifabric / pybossa

PYBOSSA is the ultimate crowdsourcing framework (aka microtasking) to analyze or enrich data that can't be processed by machines alone.
http://pybossa.com
GNU Affero General Public License v3.0
745 stars 269 forks source link

CORS support #55

Closed rufuspollock closed 12 years ago

gka commented 12 years ago

Apparently this doesn't work with POST requests on taskrun.

For instance, this CORS POST request:

OPTIONS /api/taskrun HTTP/1.1
Host: pybossa.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Origin: http://apps.pybossa.vis4.net
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Pragma: no-cache
Cache-Control: no-cache

which was fired using jQuery:

$.ajax({
    url: 'http://pybossa.com/api/taskrun',
    type: 'POST',
    dataType: 'json',
    processData: false,
    contentType: 'application/json',
    data: JSON.stringify({
        app_id: 1,
        task_id: 1,
        info: 'yes'
    })
});

failed because:

XMLHttpRequest cannot load http://pybossa.com/api/taskrun. Origin http://apps.pybossa.vis4.net is not allowed by Access-Control-Allow-Origin.

The server returned the following response headers, which are lacking the Access-Control-Allow-Origin:

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Wed, 01 Aug 2012 11:07:51 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Allow: HEAD, POST, OPTIONS, GET
Set-Cookie: session="xxxxxxxxxxxxxx"; Path=/; HttpOnly
Content-Length: 0

In contrast, if I fire a GET request to api/app the server correctly sets the Access-Control-Allow- headers.

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Wed, 01 Aug 2012 11:26:55 GMT
Content-Type: application/json
Connection: keep-alive
Content-Length: 7199
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: HEAD, POST, OPTIONS, GET
Access-Control-Max-Age: 21600
Set-Cookie: session="xxxxxxxxxxxxxx"; Path=/; HttpOnly

My (wild) guess is that the flask app doesn't respond to OPTIONS requests properly, they are not handled by APIBase.

Another way to fix this might the server config. @pudo suggested something like this https://gist.github.com/1064640

gka commented 12 years ago

Here's a test case for this issue: http://jsfiddle.net/8ttuK/1/

teleyinex commented 12 years ago

Is this fixed?