oasis-open / cti-stix-visualization

OASIS TC Open Repository: Lightweight visualization for STIX 2.0 objects and relationships
http://oasis-open.github.io/cti-stix-visualization
BSD 3-Clause "New" or "Revised" License
138 stars 43 forks source link

Cross Origin issues when fetching a URL source that does not have 'Access-Control-Allow-Origin' set #22

Closed Bojak4616 closed 7 years ago

Bojak4616 commented 7 years ago

I think the easiest solution to this is asking the user to create a github gist to host their STIX json.

It doesn't fix the issue but unless their webserver allows Cross Origin requests there is no local way to fix this.

Bojak4616 commented 7 years ago

As per a conversation with @clenk It looks like https://cors.io/ may be able to solve this issue. From what we can tell it scraps the desired website and runs its own web service that allows cross origin. This way you are able to get the desired JSON from any RAW JSON link.

An example would like like so https://oasis-open.github.io/cti-stix-visualization/?url=https://cors.io/?https://pastebin.com/raw/wCAs4ECd

The https://cors.io/? could be prepended internally if this is a route we choose to take.

@gtback Thoughts? Adding liability of another service, especially one that seems to not have a large backing behind it, might not be something we wish to do. However, it would enable JSON input from any external site.

gtback commented 7 years ago

This application is temporarily over its serving quota. Please try again later.

Lol.

I don't think we should always prepend https://cors.io. Maybe we should just add a note (either always, or just when we detect a CORS error... if there's some way to do so).

Bojak4616 commented 7 years ago

I like the second option, using the proxy if a CORS error was detected, I'll look at how to hook that error.

This application is temporarily over its serving quota. Please try again later.

Yiiiikes

Bojak4616 commented 7 years ago

It's looking less and less that we should use https://cors.io.

When browsing to https://cors.io/?https://pastebin.com/raw/wCAs4ECd (Which contains some STIX I uploaded.) We are now greeted with

stolen content from pastebin.com. your request has been blocked! visit pastebin.com for the original content.

I'm a little confused as to why it would do this but it doesn't appear to be a longterm solution.

@gtback Do you think it's unreasonable to ask users to create a GitHub gist of the content they would normally host themselves? I understand the benefits of them hosting their own content but our functionality is limited using GitHub Pages.

I can look into using the GitHub API to create an anonymous gist of data pasted into the "parse" field and return it to the user, if that seems useful. Thoughts?

gtback commented 7 years ago

No, for now let's just put a message in the "paste a URL" section that says something to the effect of "the server must allow cross-origin requests from github.io. You can use a gist if you need to host the content somewhere and don't have control over server headers".

If it's possible to detect that an AJAX call was rejected due to CORS it might be helpful to raise an error message rather than silently failing (as it seems to be doing now).

Bojak4616 commented 7 years ago

Simple fix has been merged in PR #24