Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trove API invalidly returns two access-control-allow-origin headers #24

Open
Conal-Tuohy opened this issue Nov 14, 2023 · 5 comments
Open

Trove API invalidly returns two access-control-allow-origin headers #24

Conal-Tuohy opened this issue Nov 14, 2023 · 5 comments
Assignees
@Conal-Tuohy
Labels
bug Something isn't working HTTP HTTP level Trove API relating to the underlying Trove API

Comments

@Conal-Tuohy
Copy link
Owner

Conal-Tuohy commented Nov 14, 2023
edited
Loading

If a request is made to the Trove API containing an "Origin" request header, then the response includes two access-control-allow-origin headers, both with the value *. If a request is made without an Origin header, then a single access-control-allow-origin header is returned. However, requests to the API from a JS client in a browser will always have an Origin header, and because multiple Access-Control-Allow-Origin headers are not allowed, these requests will fail, making it impossible to call the Trove API from such a client, except by going through a proxy which can remove one of the supernumerary headers.

This is a Trove server error.
@Conal-Tuohy Conal-Tuohy added bug Something isn't working HTTP HTTP level Trove API relating to the underlying Trove API labels Nov 14, 2023
@Conal-Tuohy Conal-Tuohy self-assigned this Nov 14, 2023
@Conal-Tuohy
Copy link
Owner Author

Trove's response to the following request contains a single access-control-allow-origin header:

curl --verbose  'https://api.trove.nla.gov.au/v3/result?category=newspaper&n=0&encoding=json'

Trove's response to the following request contains two access-control-allow-origin headers:

curl -H 'Origin: http://localhost' --verbose  'https://api.trove.nla.gov.au/v3/result?category=newspaper&n=0&encoding=json'

@Conal-Tuohy
Copy link
Owner Author

Libraries Australia reference: RSref165736

Conal-Tuohy added a commit that referenced this issue Nov 14, 2023
@Conal-Tuohy
discard supernumerary CORS headers; workaround for issue #24
202d41e
@Conal-Tuohy
Copy link
Owner Author

I've had no confirmation from NLA, but the bug appears to be fixed:

curl -s --verbose  'https://api.trove.nla.gov.au/v3/result?category=newspaper&n=0&encoding=json' 2>&1 \
| grep --ignore-case --fixed-strings "Access-Control-Allow-Origin:"

produces < access-control-allow-origin: *

@wragge
Copy link

wragge commented Apr 16, 2024
edited
Loading

Still seems to be broken?

curl H 'Origin: http://localhost' --verbose  'https://api.trove.nla.gov.au/v3/result?category=newspaper&n=0&encoding=json' 2>&1 | grep --ignore-case --fixed-strings "Access-Control-Allow-Origin:"

Produces:

< access-control-allow-origin: *
< access-control-allow-origin: *

@wragge wragge mentioned this issue Apr 22, 2024
Open
@Conal-Tuohy Conal-Tuohy reopened this Apr 23, 2024
@Conal-Tuohy
Copy link
Owner Author

You're absolutely right @wragge that this bug persists. My comment from Dec 20 was mistaken because I failed to send an Origin header in that test. BTW your example did the same for me, until I realised that H should have been -H. I will chase it up with the NLA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Conal-Tuohy Conal-Tuohy

Labels
bug Something isn't working HTTP HTTP level Trove API relating to the underlying Trove API
Projects
Data transformation and movement – supporting the integration of tools and data
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wragge @Conal-Tuohy