Open pchampin opened 1 month ago
Steps to reproduce:
await fetch(
"https://w3id.org/SpOTy/ontology",
{headers: {"user-agent": "to-force-preflight-query"}}
)
user-agent
headers triggers a preflight requestOPTIONS
) fails, because it got a 302 responseExample of working configuration
await fetch(
"https://champin.net/2023/SpOTy/ontology",
{headers: {"user-agent": "to-force-preflight-query"}}
)
200 Ok
responseThere are a few things going on here. Summary is that I'm not sure how to solve this in a generic global way.
Header always set Access-Control-Allow-Origin "*"
.RewriteOptions InheritDownBefore
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^ - [R=204,L]
I'm not sure what to do here. Since people haven't been complaining about this, and even I didn't realize this was an issue, perhaps it can be better documented and handled on a per-id basis when needed? It's a few lines and I think the special local use cases can be handled better. Like using other CORS headers to set allowed headers, methods, etc.
Thoughts?
Disclaimer: I don't claim to be the ultimate expert on CORS, but I think I have a fair understanding of how it works.
My thinking is that w3id.org is meant to be as transparent as possible. It sets Access-Control-Allow-Origin
to *
, and leave it to the destination server to apply its own policy.
Similarly, it should accept all preflight requests, and leave it to the destination server to handle them with more scrutiny. You are right, "accepting" them requires more than just returning 204, you need to fill all the "allow" headers with whatever was requested in the preflight.
Yes, if the destination server is not configured for handling preflight requests, there will be an error down the line. This is not your concern, just like it is not your concern if the URL you redirect to returns a 404, or if it does not include the allow-origin header to allow CORS queries. Anyway, CORS is "reject by default", so if the destination server is not configured, the query will be rejected. Being permissive on w3id's side is not putting the destination server at risk.
That being said, you are right, I might just as well try to configure it locally, and when I have a working configuration, we can discuss if it is worth making it global.
SpOTy
folder).Note that, for testing in Chrome, you can force the preflight request by replacing user-agent
with a custom header x-foo
:
await fetch(
"https://w3id.org/SpOTy/ontology",
{headers: {"x-foo": "to-force-preflight-query"}}
)
When w3id.org gets an
OPTIONS
request, it returns a302 Found
redirect (as it does for aGET
). The problem is that, in a CORS context, this leads to a 'CORS request external redirect not allowed' error.The problem would be solved if w3id.org returned a
200 Ok
onOPTIONS
.