Closed lidel closed 4 months ago
@ns4plabs for now, let's add the missing header at nginx level
@hacdias i wonder if we should make liberal CORS the default in boxo/gateway
, so we don't have to set them up every time on public gateways?
These are more often desired (subdomain and path gateways) rather than not.
Access to fetch at 'https://trustless-gateway.link/ipfs/QmW9pMY7fvbxVA2CaihgxJRzmSv15Re2TABte4HoZdfypo?format=raw' from origin 'https://cdpn.io' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
@hacdias i wonder if we should make liberal CORS the default in
boxo/gateway
, so we don't have to set them up every time on public gateways?
@lidel, also, do we have recommended config for trustless gateways in the IPIP or elsewhere? i.e. CORS should allow any origin?
specs are tracked in https://github.com/ipfs/specs/issues/423
until we have them, as a rule of thumb, always assume public gateways must have liberal CORS so other websites can fetch content from them
@lidel we already have a function that applies the liberal CORS: https://github.com/ipfs/boxo/blob/main/gateway/gateway.go#L431. If your suggestion is to apply it by default, I would also suggest stopping to export it.
It seems fine to me to change the default, as long as we make it clear.
I assumed we forgot to enable CORS in Rainbow, and it had to be added in Nginx, but I've checked latest Kubo and ghcr.io/ipfs/rainbow:main-latest
and both have Access-Control-Allow-Origin: *
, so we don't need to change anything in boxo, this seems to be an infra thing.
@ns4plabs any idea why Access-Control-Allow-Origin: *
gets dropped on trustless-gateway.link
and not ipfs.io
?
I'm not sure this is working in Kubo 0.25.0, unless I've misconfigured it.
I have enabled CORS on the API with:
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["*"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["GET", "POST"]'
And turned on the routing API on the gateway and enabled CORS with:
ipfs config --json Gateway.ExposeRoutingAPI 'true'
ipfs config --json Gateway.HTTPHeaders.Access-Control-Allow-Origin '["*"]'
ipfs config --json Gateway.HTTPHeaders.Access-Control-Allow-Methods '["GET", "POST"]'
I can make a fetch request to the API from any origin with:
await fetch('http://127.0.0.1:5101/api/v0/id', { method: 'POST' })
Response { type: 'cors', url: 'http://127.0.0.1:5101/api/v0/id' ...
But I get errors from the routing API:
await fetch('http://127.0.0.1:8180/routing/v1/ipns/bafzaajaiaejcbsm3udfhqd6ailaazwtte7543vgezji6ultv43jkdxhd4elgc5wr', { headers: { Accept: 'application/vnd.ipfs.ipns-record' }})
Access to fetch at 'http://127.0.0.1:8180/routing/v1/ipns/bafzaajaiaejcbsm3udfhqd6ailaazwtte7543vgezji6ultv43jkdxhd4elgc5wr' from origin 'http://127.0.0.1:5101' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
@achingbrain that is indeed a bug. The config gateway headers are applied solely to the gateway handler, and to nothing else on that HTTP listener.
@lidel I see two options:
HTTPHeaders
option from boxo/gateway
. The implementer is then responsible for setting up some middleware (< 10 lines) that sets the headers they want. In Kubo this is trivial with the corehttp.Option
system, and would then apply to everything in the gw port.Yep, it is a bug, since /routing/v1
is exposed on gateway port, it should have the same implicit config and user-provided Gateway.HTTPHeaders
applied as /ipfs
handler.
@hacdias +1 to refactoring things and moving implicit/explicit header setup into a dedicated reusable middleware handler (example, we would write our own version). I think we should have it in boxo/gateway
and have it in examples, so people don't need to write their own for basic stuff like implicit CORS.
In Kubo, the middleware would add all implicit headers and CORS from boxo/gateway + add any user provided configuration from Gateway.HTTPHeaders
and we could put it in front of both /routing/v1 and /ipfs handlers sgtm.
This way it is in one place and we don't need to pass anything into the routing handler.
We rolled out https://github.com/protocol/bifrost-infra/pull/2826 and now the Rainbow headers are passed through
I believe we can probably close this now. confirmed that requests are working properly at https://codepen.io/SgtPooki/pen/JjxYpZX
Confirming this is working too. Can be closed @lidel (I don't have permissions)
trustless-gateway.link can't be used in browser due to missing CORS header.
Repro steps
@sgtpooki created demo at https://codepen.io/SgtPooki/pen/JjxYpZX
Can be reproduced by looking at Network tab in devtools.
Problem
I think the exact problem is that response is missing
access-control-allow-origin: *
:cc @sgtpooki @ns4plabs @2color