Open jiemakel opened 3 years ago
Can you specify more what exactly needs to be set and what is it needed for?
Javascript applications running in browsers can't access any HTTP APIs / fetch any HTTP content in general in other domains where the server does not add the correct CORS headers to its responses. The server needs to set at least an Access-Control-Allow-Origin: *
header and an Access-Control-Allow-Methods: *
header (or Access-Control-Allow-Methods: HEAD, GET, OPTIONS
or somesuch). In addition, it needs to answer HTTP OPTIONS requests with these headers in addition to e.g. the basic GET, because these are used as "pre-flight" checks by the browsers. If we put stuff behind authentication, we'll also need suitable Access-Control-Allow-Headers
and possibly Access-Control-Allow-Credentials
.
But basically, I suggest using the ready package mentioned above for this and allowing everything, as there should be no problem with doing so (CORS protection is mainly meant to prevent people e.g. spamming Facebook's or Twitter's API from spoofed sites using a user's credentials stored in their cookies).
Where I ran into this is the filter-verse-expansion-ui, which currently uses a proxy to get around the problem (see. https://github.com/hsci-r/filter-verse-expansion-ui/blob/main/src/App.svelte#L309)
For access from in-browser Javascript apps, Runoregi needs to set CORS headers at least for CSV responses, but no harm in enabling globally either. Probably https://github.com/may-day/wsgicors will allow for an easy implementation?