Support CORS for reconciliation endpoints #2260
Assignees
Labels
pull request pending
For issues that will be fixed by an open PR
reconciliation API design
when changing the reconciliation API is required to improve a workflow
reconciliation
Related to the reconciliation operations and other features
Type: Feature Request
Identifies requests for new features or enhancements. These involve proposing new improvements.
Milestone
Comments
wetneb
added
Type: Feature Request
wetneb
added
the
reconciliation
This was referenced Dec 24, 2019
wetneb
added
the
pull request pending
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We currently use JSONP to call reconciliation services from the browser. This is a problem since it is inherently insecure (the server can inject arbitrary javascript code in OpenRefine). The modern solution to call web services from a browser across domains is to use CORS.
The reconciliation CG is changing the standards to require CORS instead of JSONP (reconciliation-api/specs#19) so we should support CORS too. Ideally we would support both during a transition period. When trying to add a service, check first if it can be reached via CORS, then with JSONP. We should probably remember in the service manifest whether the service could be accessed via CORS or not, so that we avoid trying CORS and falling back to JSONP for all subsequent queries.
The text was updated successfully, but these errors were encountered: