Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support CORS for reconciliation endpoints #2260

Closed
wetneb opened this issue Dec 23, 2019 · 0 comments
Closed

Support CORS for reconciliation endpoints #2260

wetneb opened this issue Dec 23, 2019 · 0 comments

Comments

@wetneb
Copy link
Member

@wetneb wetneb commented Dec 23, 2019

We currently use JSONP to call reconciliation services from the browser. This is a problem since it is inherently insecure (the server can inject arbitrary javascript code in OpenRefine). The modern solution to call web services from a browser across domains is to use CORS.

The reconciliation CG is changing the standards to require CORS instead of JSONP (reconciliation-api/specs#19) so we should support CORS too. Ideally we would support both during a transition period. When trying to add a service, check first if it can be reached via CORS, then with JSONP. We should probably remember in the service manifest whether the service could be accessed via CORS or not, so that we avoid trying CORS and falling back to JSONP for all subsequent queries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.