maciejjan
commented
3 years ago Can you specify more what exactly needs to be set and what is it needed for?
Open jiemakel opened 3 years ago
maciejjan
commented
3 years ago Can you specify more what exactly needs to be set and what is it needed for?
jiemakel
commented
3 years ago Javascript applications running in browsers can't access any HTTP APIs / fetch any HTTP content in general in other domains where the server does not add the correct CORS headers to its responses. The server needs to set at least an Access-Control-Allow-Origin: * header and an Access-Control-Allow-Methods: * header (or Access-Control-Allow-Methods: HEAD, GET, OPTIONS or somesuch). In addition, it needs to answer HTTP OPTIONS requests with these headers in addition to e.g. the basic GET, because these are used as "pre-flight" checks by the browsers. If we put stuff behind authentication, we'll also need suitable Access-Control-Allow-Headers and possibly Access-Control-Allow-Credentials.
But basically, I suggest using the ready package mentioned above for this and allowing everything, as there should be no problem with doing so (CORS protection is mainly meant to prevent people e.g. spamming Facebook's or Twitter's API from spoofed sites using a user's credentials stored in their cookies).
Where I ran into this is the filter-verse-expansion-ui, which currently uses a proxy to get around the problem (see. https://github.com/hsci-r/filter-verse-expansion-ui/blob/main/src/App.svelte#L309)
For access from in-browser Javascript apps, Runoregi needs to set CORS headers at least for CSV responses, but no harm in enabling globally either. Probably https://github.com/may-day/wsgicors will allow for an easy implementation?