DocSavage
commented
2 years ago Yes, if CORS is enabled by default any DVID fronted by nginx, which is a fairly common, would break because nginx would also be handling CORS and we'll get issues. We could add a flag to "dvid serve" that allows shutting off any cors handling, and make sure all current nginx front DVID servers that get code updates start using that -noCORS flag.
Is there any reason at all not to enable CORS by default, always?
I know we can configure permissive CORS access in the TOML file:
...but sometimes we forget to do that. I am too afraid to even try to estimate how many developer hours of debug time we've lost due to CORS issues over the years. As far as I can tell, there is nothing in DVID presents a security concern that would be helped by restrictive CORS headers. Make it permissive by default, but allow us to lock it down in the TOML if we really want to.