New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow CORS in import API #2546
Comments
Totally. It must have the same rules than SQL API, for example. |
Fine, after the vizjson changes this changes can be attacked easier (or at least detect better possible problems), and I like the idea |
Fine by me, but what's the use case you're thinking about? |
being able to import a table from a third party application using only javascript cc @sanderpick |
Do we want to make this available to anybody? Or do we want to enable it for specific third party applications (like in a whitelist)? |
would be fine for the "map-in-cartodb-button" app to have a whitelist - but may be nice to just have it open so others can build stuff with it too if it's not a security concern. |
Glad you all are thinking about this. I ran into this today while working on a client-side dataset upload tool. |
+1 |
There has been no activity on this issue for more several months. We are closing it. If you think this still needs to be addressed please open a new issue. |
please, keep this open |
Should we close this? |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This PR CartoDB/CartoDB-SQL-API#261 added some CORS support (see the middleware and usage). Not sure whether this covers the original intent of the ticket cc/ @dgaubert |
This was about the Import API. That looks related to SQL API batch queries, doesn't it? |
Summoning @javitonino for prioritization |
true, my bad |
We have a new way to import data via the COPY API + instead of just enabling CORS for the Import API, to use it in web applications we should think on proper OAuth support. It's sad but 4 and half years later it's time to close this issue. |
It would be nice to have CORS in the import API but we need to be really careful with the implementation in order to not open security holes.
If we just allow CORS adding http OPTIONS + headers a third party could import files if the user has the session open.
My proposal here is allow CORS only if a valid api_key is provided (and in the future with oauth), like
curl -X OPTIONS -H "Cookie: valid session" http://user.cartodb.com/api/v1/import
curl -X OPTIONS "http://user.cartodb.com/api/v1/import?api_key=validapikey"
thoughts? @juanignaciosl @Kartones @rafatower @rochoa
The text was updated successfully, but these errors were encountered: