Edit:
After manually fixing this and playing around a bit it seems like seahub itself is also gonna need to address some issues to fully support CORS (e.g. this issue)
About
Currently there are no CORS (Cross Origin Resource Sharing) headers set for the web API.
This means that if you want to perform requests from other client web services you'll run into CORS blocks.
That can be fixed by adding the right CORS headers in the nginx configuration templates.
The Fix
A possible fix would be to set the Access-Control-Allow-Origin to *. That would allow any web client to communicate with the API.
The requests could further be limited with Access-Control-Allow-Methods or Access-Control-Allow-Headers.
Counter Arguments
Opening up CORS of course always opens up the door a little wider for CSRF (Cross Site Resource Forgery).
I'd say this is acceptable for this API though.
Alternatives
An alternative solution would be to make this configurable via an environment variable.
Additional Notes
The API of the official server at https://cloud.seafile.com/api2 actually uses Access-Control-Allow-Origin: *, although this might purely for demonstration purposes.
Edit: After manually fixing this and playing around a bit it seems like seahub itself is also gonna need to address some issues to fully support CORS (e.g. this issue)
About
Currently there are no CORS (Cross Origin Resource Sharing) headers set for the web API. This means that if you want to perform requests from other client web services you'll run into CORS blocks. That can be fixed by adding the right CORS headers in the nginx configuration templates.
The Fix
A possible fix would be to set the
Access-Control-Allow-Origin
to*
. That would allow any web client to communicate with the API. The requests could further be limited withAccess-Control-Allow-Methods
orAccess-Control-Allow-Headers
.Counter Arguments
Opening up CORS of course always opens up the door a little wider for CSRF (Cross Site Resource Forgery). I'd say this is acceptable for this API though.
Alternatives
An alternative solution would be to make this configurable via an environment variable.
Additional Notes
The API of the official server at https://cloud.seafile.com/api2 actually uses
Access-Control-Allow-Origin: *
, although this might purely for demonstration purposes.