CORS headers omitted for some endpoints

[nashley]

Background information

• Dendrite version or git SHA: 3069079e37510dbda59b2b272ce133ef81832d7b
• Monolith or Polylith?: monolith
• SQLite3 or Postgres?: sqlite
• Running in Docker?: :x: (no)
• go version: go1.16 linux/arm
• Running behind nginx. Config here.

Description

Access-Control-Allow-Headers and Access-Control-Allow-Methods and Access-Control-Allow-Origin aren't specified for the following endpoints:

• /_matrix/client/r0/joined_groups
• /_matrix/client/r0/create_group
• /_matrix/client/unstable/room_keys/version
• /_matrix/client/r0/pushers
• /_matrix/client/r0/publicised_groups
• /_matrix/client/r0/user/%40username%3Aserver.address/openid/request_token (substitute username and server.address)
• /_matrix/client/unstable/room_keys/version However, they are specified for seemingly every other endpoint. For example, creating & chatting in rooms works just fine.

Steps to reproduce

• Open developer console's network tab
• Go to self-hosted https://server.address/#/groups and try to create a group

I'd expect the appropriate CORS headers to be returned for these endpoints like they are for the others. If that's not desired for some reason, I'd expect a documented explanation.

[neilalexander]

These endpoints aren't implemented yet. That's why there are no CORS headers returned for them.

[nashley]

Ah, I thought that might be the case. Would it be useful if I submitted a PR to stub them out and return a ~501~ ~405~ 404 with the standard CORS headers?

[neilalexander]

I'm not sure if a 404 with CORS headers is any better than a 404 without CORS headers?

@Kegsay Any thoughts?

[kegsay]

Please do not attach CORS headers for these endpoints. We have no plans to implement some of them.