Hi
I agree with the point mentioned in this comment that we should not allow the POST /package API from the browser by default as it modifies the system.
However, I am not very convinced with the approach we are taking to disable this feature from a browser.
Impact of no cors-
Difficult POC: We'll need NGINX or similar proxy servers to manipulate headers. This initially demands resources/time/effort which drops the motivation of the adoption of Piston.
Proposed Solution:
We can control the cors from the piston config, disabled by default(current behavior). However, we can discuss enabling it in docker-compose.dev.yml
In case we really want to be careful with the POST /packages API-
We can enable this feature(POST /packages endpoint) based on a config.
Or we decouple the system-impacting feature from user-facing endpoint list. we can provide a small script kind of tool to install a package manually inside /piston/packages dir.
In case we can conclude on this, I'll be happy to contribute to the implementation :-)
Hi I agree with the point mentioned in this comment that we should not allow the
POST /packageAPI from the browser by default as it modifies the system.However, I am not very convinced with the approach we are taking to disable this feature from a browser.
Impact of no cors-
Proposed Solution:
docker-compose.dev.ymlPOST /packagesAPI-POST /packagesendpoint) based on a config./piston/packagesdir.In case we can conclude on this, I'll be happy to contribute to the implementation :-)