Closed ctron closed 1 year ago
Option a)
The user sets the following to enable "permissive". In this case, all other options are ignored:
HTTP__CORS__PERMISSIVE=true
Otherwise it is necessary to configure CORS. The helm charts should provide working defaults.
Option b)
The user can switch between "permissive", "none", and "manual"
HTTP__CORS__MODE=permissive
HTTP__CORS__MODE=none
HTTP__CORS__MODE=manual # implicit default
Only when the mode is manual
, the other options will be considered.
Option B allows more flexibility and it's not that hard to implement. also, I wonder if services could provide default settings in the rust code, like for the allowed methods ?
i.e. https://github.com/drogue-iot/drogue-cloud/blob/main/http-endpoint/src/lib.rs#L109
So maybe do:
MODE=permissive
MODE=none
MODE= # unset
MODE=custom
permissive: wildcard CORS none: no CORS unset: application provided default custom: custom settings, with application defaults
We do enable CORS by default now. With some reasonable settings. However, the user should be able to opt-out of it, enabling the "permissive" mode.