Access-Control-Allow-Origin is not set on API urls, leading to any web app not being able to access any API url.
Steps to reproduce:
Make a basic Canvas web app, for instance trying to access /api/v1/users/self with the correct authorization but on a different host then the Canvas instance
Run it.
Go to the browser and check the console in the inspect menu, you will see an error message looking something like:
Expected behavior:
The Access-Control-Allow-Origin header is set properly to *, allowing any host to access it.
Actual behavior:
The Access-Control-Allow-Origin header is not set at all, leading to no request that returns data being able to be made.
Additional notes:
This can be worked around with a CORS proxy, but that is not preferable. For some requests, this can also be worked around with a no-cors mode, but that would not work for any requests that return necessary data, as no-cors makes no data be returned.
Summary:
Access-Control-Allow-Originis not set on API urls, leading to any web app not being able to access any API url.Steps to reproduce:
/api/v1/users/selfwith the correct authorization but on a different host then the Canvas instanceExpected behavior:
The
Access-Control-Allow-Originheader is set properly to*, allowing any host to access it.Actual behavior:
The
Access-Control-Allow-Originheader is not set at all, leading to no request that returns data being able to be made.Additional notes:
This can be worked around with a CORS proxy, but that is not preferable. For some requests, this can also be worked around with a
no-corsmode, but that would not work for any requests that return necessary data, asno-corsmakes no data be returned.