New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow cross-site requests to the RSS feed #3835

Closed
ajcamilo opened this Issue Aug 20, 2014 · 6 comments

Comments

Projects
None yet
4 participants
@ajcamilo

ajcamilo commented Aug 20, 2014

My company has a blog with Ghost and we would like to show a list of some posts on our main page.

A solution I found was to use the RSS feed through javascript on the main page, and parse the XML.

The problem is cross-site requests are not allowed (CORS), so the Ghost rss feed response need to add the header Access-Control-Allow-Origin: *

@ErisDS

This comment has been minimized.

Show comment
Hide comment
@ErisDS

ErisDS Aug 20, 2014

Member

Hi again :)

I certainly appreciate your use case and that you need to do this for your own blog, but I don't think that pushing this back into core is the right thing to do. We have guidelines for what we include in core, and in this case the majority of users would not use this feature. In fact I'd suggest that most users who understand what this does would not expect it to be available by default.

Furthermore, what you're doing is a workaround. If you want to display content from your Ghost blog elsewhere, the correct way to do so would be to use the API, which will become openly available in one of the upcoming releases. Alternatively in future you might enable this via an app.

Member

ErisDS commented Aug 20, 2014

Hi again :)

I certainly appreciate your use case and that you need to do this for your own blog, but I don't think that pushing this back into core is the right thing to do. We have guidelines for what we include in core, and in this case the majority of users would not use this feature. In fact I'd suggest that most users who understand what this does would not expect it to be available by default.

Furthermore, what you're doing is a workaround. If you want to display content from your Ghost blog elsewhere, the correct way to do so would be to use the API, which will become openly available in one of the upcoming releases. Alternatively in future you might enable this via an app.

@ajcamilo

This comment has been minimized.

Show comment
Hide comment
@ajcamilo

ajcamilo Aug 20, 2014

Ok, I understand your point.

Just as a suggestion, make your API allowing cross-site requests so people can integrate the blog on their website without the need for an server application.

And thanks for Ghost :)

ajcamilo commented Aug 20, 2014

Ok, I understand your point.

Just as a suggestion, make your API allowing cross-site requests so people can integrate the blog on their website without the need for an server application.

And thanks for Ghost :)

@cdax

This comment has been minimized.

Show comment
Hide comment
@cdax

cdax Aug 20, 2014

Hi ajcamilo,

As I understand, cross-origin requests are deliberately disabled by most major browsers, but only for scripts originating from localhost. It's a security feature. What this means is that when your browser serves a hosted copy of your page, it shouldn't show you this error.

According to this post, you can turn off the setting that enforces this (for Chrome). However, you should only disable web security features temporarily, only while you're testing -- they're enable by default for a reason.

cdax commented Aug 20, 2014

Hi ajcamilo,

As I understand, cross-origin requests are deliberately disabled by most major browsers, but only for scripts originating from localhost. It's a security feature. What this means is that when your browser serves a hosted copy of your page, it shouldn't show you this error.

According to this post, you can turn off the setting that enforces this (for Chrome). However, you should only disable web security features temporarily, only while you're testing -- they're enable by default for a reason.

@ajcamilo

This comment has been minimized.

Show comment
Hide comment
@ajcamilo

ajcamilo Aug 20, 2014

Hi c-das,

My problem is that the blog is not on the same domain as the website, so I have a cross-domain problem.

It's very well explained here: http://jvaneyck.wordpress.com/2014/01/07/cross-domain-requests-in-javascript/

ajcamilo commented Aug 20, 2014

Hi c-das,

My problem is that the blog is not on the same domain as the website, so I have a cross-domain problem.

It's very well explained here: http://jvaneyck.wordpress.com/2014/01/07/cross-domain-requests-in-javascript/

@novaugust

This comment has been minimized.

Show comment
Hide comment
@novaugust

novaugust Aug 20, 2014

Member

The easiest solution here would be to use nginx to add the appropriate ACAO headers to any request towards yourblog.com/rss, rather than doing it across ghost for all users.

Member

novaugust commented Aug 20, 2014

The easiest solution here would be to use nginx to add the appropriate ACAO headers to any request towards yourblog.com/rss, rather than doing it across ghost for all users.

@ErisDS

This comment has been minimized.

Show comment
Hide comment
@ErisDS

ErisDS Aug 20, 2014

Member

@ajcamilo We have a lot of plans around opening up the API to outside access, with OAuth to start with most likely, we'll be looking to provide plenty of tools and docs as I think yours is likely to be the most common use case for the API. I'm going to close this and the related pr #3833 now :)

Member

ErisDS commented Aug 20, 2014

@ajcamilo We have a lot of plans around opening up the API to outside access, with OAuth to start with most likely, we'll be looking to provide plenty of tools and docs as I think yours is likely to be the most common use case for the API. I'm going to close this and the related pr #3833 now :)

@ErisDS ErisDS closed this Aug 20, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment