Don't allow-origins * by default

[trestletech]

Currently Plumber defaults to provide a Access-Control-Allow-Origin=* HTTP header unless it's overridden. This opens Plumber APIs up to be requested from a browser from any origin when the request is a simple GET, HEAD, or POST using the standard HTTP headers.

This should be backed down from unless the user opts-in to permissive CORS behavior.

[joelgombin]

I'm not sure this is the right place to ask, but I need to opt-in to a permissive CORS behavior, allowing a cross-origin request, but I'm not sure how to do that. Following https://github.com/trestletech/plumber/issues/66, I've added this to my plumber.R file:

#* @filter cors
cors <- function(res) {
  res$setHeader("Access-Control-Allow-Origin", "*")
  plumber::forward()
}

And then this before my endpoints:

#* @preempt cors
#* @get /protected
protected <- function(adresse) {
...
}

but, as per http://resttesttest.com/, the request is still blocked when requested from the browser. Could you point me to a way to fix this? Thanks!

[joelgombin]

OK, don't worry, I've understood that I need to remove the @preempt lines.

[Kerexeta]

Hi, I currently have the same issue as @joelgombin. I also have followed what in #66 is explained but I can not avoid the CORS error. What do you mean when you (@joelgombin) say "I need to remove the @preempt lines"? Could you put the same example but working?

Thank You beforehand

[joelgombin]

Your script needs to look like this:

#* @filter cors
cors <- function(res) {
  res$setHeader("Access-Control-Allow-Origin", "*")
  plumber::forward()
}

#* @get /protected
protected <- function(adresse) {
...
}

[Kerexeta]

Thank You for answering so fast!! It has been useful for me!!