Enable CORS by default

[marcenuc]

I have created a new project with:

stack new myproject yesod-scaffold/hsfiles/postgres.hsfiles
cd myproject
stack build
stack exec -- yesod devel
open http://localhost:3000/

The glyphicons are not displayed correctly because CORS is not properly setup. Then I have installed the wai-cors package as explained in https://github.com/yesodweb/yesod-cookbook/pull/2 and now it works.

I think this should be in the default setup because the home page has glyphicons.

Are you open to a pull-request?

[snoyberg]

Enabling CORS has security implications, and therefore IMO should not be something we turn on by default.

[marcenuc]

OK, the default configuration should be secure.

But the default configuration should also work, without errors, because any error gives the impression that something went wrong during setup.

Being a newcomer, I have lost a lot of time trying to figure out what I have done wrong, just to discover that it was a known "feature". :-)

Maybe we should add a warning message to homepage.hamlet saying why glyphicons are not working and how to fix it.

[snoyberg]

I don't see any errors, and wouldn't expect to need CORS at all in the scaffolded setup, since the assets are being served (in principle) from the same domain name. It's possible that you're accessing the site over one address (e.g., 127.0.0.1) while the generated URLs are something else (e.g., localhost). If you provide more information on what errors you're seeing, that would be useful.

[marcenuc]

You are right, the problem is in the URL I am using. The problem is with http://127.0.0.1:3000 (you may need to force reload of the page with Ctrl+Shif+R, because the fonts may be cached). With http://localhost:3000 it works fine.

Then the error is in the messages printed by yesod on start:

$ stack exec -- yesod devel
Yesod devel server. Type 'quit' to quit
Application can be accessed at:

http://127.0.0.1:3000
https://127.0.0.1:3443
If you wish to test https capabilities, you should set the following variable:
  export APPROOT=https://127.0.0.1:3443

Later it says: Devel application launched: http://localhost:3000. But this is less visible because it is intermixed with the messages of database migrations.

[snoyberg]

I've just pushed a commit to the scaffolding (postgres branch) that switches the default behavior from a hard-coded application root to guessing the application root from the request. However, there seems to be a problem with this an the https server, which I'll need to check next week.

[snoyberg]

I've identified the issue with TLS, which is a bug in warp-tls: https://github.com/yesodweb/wai/issues/478

Other than that, I believe switching the scaffolding over to guessApproot is the right approach. I'll also update yesod-bin to use localhost instead of 127.0.0.1, though that shouldn't have any meaningful impact anymore.

[bsima]

What is the recommended way to handle CORS with a static subsite like static.example.com?

[MaxGabriel]

Not sure if it’s the best way, but you can use the wai-cors package to add headers to allow the browser to access those resources

[bsima]

Yes, this is already documented here: https://github.com/yesodweb/yesod-cookbook/blob/master/cookbook/Allowing-WOFF-fonts-to-be-accessed-from-other-domains-%28CORS%29.md#using-wai-cors-package