rybesh
commented
4 years ago - [ ] ORCID
orcid.orgdoes not set CORS headers: testpub.orcid.orgdoes not set CORS headers: testpub.orcid.org/v3.0/does set CORS headers: test - [X] DOI supports CORS
doi.orgdoes set CORS headers if anAcceptheader is set : testdx.doi.orgdoes set CORS headers if anAcceptheader is set : testdoi.org/api/handles/does set CORS headers testdata.crossref.orgdoes set CORS headers but will fail with406 Not Acceptableunless anAcceptheader is set to one of the content types that Crossref supports: test (Note also that not all DOIs are Crossref DOIs, so we might want to consider usingdoi.orgrather thandata.crossref.orgto resolve DOIs.) - [ ] Worldcat
www.worldcat.orgdoes not set CORS headers testexperiment.worldcat.orgdoes set CORS headers, but only on HTTP requests and not HTTPS requests, which is useless: test http / test https - [X] N2T supports CORS
n2t.netdoes set CORS headers test
gbilder
In modern web browsers, making requests from JavaScript (JS) to URLs with domains that differ from the one where the JavaScript originated is forbidden by default.
Servers that wish to allow JS requests from other domains can indicate this by setting an
Access-Control-Allow-Originheader, e.g.Access-Control-Allow-Origin: *to allow JS requests from any domain.
Since JS applications working with linked data URLs need to be able to make GET requests to those URLs, in order to discover the resources to which they point, then it makes sense for both URL resolvers and linked data servers to set this header.
In order to ensure that JS on arbitrary domains can only read and not write to URL resolvers and linked data servers, it may also make sense to only allow GET requests by setting an
Access-Control-Allow-Methodsheader, e.g.:Access-Control-Allow-Methods: GETSince a
302 Redirect(or other redirect) response is useless without theLocationheader, and browsers by default do not expose the Location header to JS, it also makes sense for URL resolvers to expose that header by setting anAccess-Control-Expose-Headersheader, e.g.:Access-Control-Expose-Headers: LocationBy setting these headers, URLs of linked data publishers and resolvers become usable from JS running in browsers, without compromising the security of their servers.
Unfortunately, more than six years after Cross-Origin Resource Sharing (CORS) became a W3C Recommendation, support for these CORS headers among major scholarly data publishers and resolvers is still poor.