lucab
commented
3 years ago /cc @travier
Closed lucab closed 3 years ago
lucab
commented
3 years ago /cc @travier
lucab
commented
3 years ago @kelvinfan001 I'm happy to tweak this in some other direction, but I don't know which. The server does not know what is its own origin, so "same" is effectively a Some(vec!["foo.bar"]) that needs to be passed via configuration. Or a switch to turn off CORS completely, only allowing same-origin fetching via browser rules.
lucab
commented
3 years ago From an out-of-band chat: "same origin mode" can be effectively achieved by disabling the CORS middleware entriel.
We agreed that it's fine to treat None as *, and default to that.
Once we get to TOML configuration, we will model the same-origin-only case with an explicit cors.enabled = true|false, keeping this allowlist optional (i.e. defaulting to *).
kelvinfan001
commented
3 years ago I think I have a better understanding now. Yeah, only allowing same origin doesn't make too much sense here (doesn't have too much of a use case), because IIUC only https://builds.coreos.fedoraproject.org/graph?stream=stable tries to request resources from cincinnati (from a browser), and Zincati is a program.
This tweaks CORS middleware in order to make the origin allowlist optional. If no allowlist is provided, all origins are accepted.