squeak-smalltalk / squeak.org

Squeak/Smalltalk Website
http://squeak.org
36 stars 23 forks source link

Enable CORS #9

Closed codefrau closed 6 years ago

codefrau commented 8 years ago

Particularly on files.squeak.org and build.squeak.org.

fniephaus commented 7 years ago

Can this be closed? See here.

codefrau commented 6 years ago

Maybe it did work at some point, but right now, the server does not send CORS headers.

This is Chrome's error message in SqueakJS: Failed to load http://files.squeak.org/5.1/Squeak5.1-16549-32bit/Squeak5.1-16549-32bit.zip: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.

And these are the headers I see:

$ whead  http://files.squeak.org/5.1/Squeak5.1-16549-32bit/Squeak5.1-16549-32bit.zip
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Fri, 17 Nov 2017 12:58:20 GMT
Content-Type: application/zip
Content-Length: 16215793
Last-Modified: Mon, 26 Sep 2016 09:25:23 GMT
Connection: keep-alive
ETag: "57e8e983-f76ef1"
X-Clacks-Overhead: GNU Terry Pratchett
Accept-Ranges: bytes

If this and #11 get fixed I could again directly link files from SqueakJS, which would be awesome :)

krono commented 6 years ago

This worked: curl -H "Origin: http://try.squeak.org" -I http://files.squeak.org/5.1/Squeak5.1-16550-32bit/Squeak5.1-16550-32bit.zip

But this didnt: curl -H "Origin: http://try.squeak.org/" -I http://files.squeak.org/5.1/Squeak5.1-16550-32bit/Squeak5.1-16550-32bit.zip

Fixed the regex. (note: you need the origin...)

codefrau commented 6 years ago

It does not seem to work for localhost or for squeak.js.org. Does it have a very special list of allowed origins?

krono commented 6 years ago

jep: *.squeak.org

        location / {
        #enable CORS from *.squeak.org
        if ($http_origin ~ ^https?://([^/]+\.)?squeak\.org) { #hopefully this if won't affect try_files
            add_header 'Access-Control-Allow-Origin' '*';
            #See https://stackoverflow.com/questions/21104810/what-could-explain-the-browser-intermittently-not-loading-some-cors-crossorigin
            #why the value is * instead of #http_origin
        }
        try_files $uri @autoindex;

I just changed it to allow more than just the root path. (I think @nicolas-cellier-aka-nice put it in there, but I'm not sure)

nicolas-cellier-aka-nice commented 6 years ago

Hi Tobias, its beyond my expertise and I think I'm not a contributor https://github.com/squeak-smalltalk/squeak.org/graphs/contributors

krono commented 6 years ago

Hi Nicolas, that was just a guess. I also talked about the server/nginx configuration, nothing here on github. And yes, checking the admin-log yields that it was levente who helped with CORS.

krono commented 6 years ago

@bertfreudenberg do we need other hosts than *.squeak.org?

codefrau commented 6 years ago

@krono Yes. At the very least localhost (for debugging) and squeak.js.org. But why not unconditionally allow it? Why do we need to restrict it to certain origins?

krono commented 6 years ago

Dunno, Levente did that, most probably for good reasons. nevertheless, I included both. please try again.

codefrau commented 6 years ago

Works for localhost and once we have HTTPS (#11) I'm sure it will work for squeak.js.org, too. Thanks!

krono commented 6 years ago

'k