Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS header ‘Access-Control-Allow-Origin’ missing #1006

Closed
NickColley opened this issue Nov 6, 2022 · 4 comments
Closed

CORS header ‘Access-Control-Allow-Origin’ missing #1006

NickColley opened this issue Nov 6, 2022 · 4 comments

Comments

@NickColley
Copy link

NickColley commented Nov 6, 2022
edited

I have built a JavaScript API for the Search API and Content APIi, but there is an inconsistency between the two.

In Node.js both succeed as expected.
In the browser only Search API succeeds.
This is because Content API does not have the correct headers set to allow for client-side requests.

<script type="module">
  import { SearchAPI, ContentAPI } from "https://unpkg.com/@nickcolley/govuk";
  const searchApi = new SearchAPI();
  const searchItem = await searchApi.get("Register to vote")
  // Succeeds
  console.log({ searchItem })
  
  const contentApi = new ContentAPI();
  const contentItem = await contentApi.get("/Register-to-vote")
  // Fails
  console.log({ contentItem })
</script>

https://jsbin.com/cidexadexu/edit?html,console,output

Browser console:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.gov.uk/api/content/Register-to-vote. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 404.

XHRGEThttps://www.gov.uk/api/content/Register-to-vote
CORS Missing Allow Origin

cc @kevindew thoughts on this? :)
@NickColley NickColley mentioned this issue Nov 6, 2022
Closed
kevindew added a commit that referenced this issue Nov 14, 2022
@kevindew
Allow cross-origin requests to access public content endpoint
6765263 
This addresses #1006

This sets a `Access-Control-Allow-Origin: *` header on HTTP responses to
the show endpoint, this will allow requests to this API to originate
(via JS) from hosts other than www.gov.uk.

The reason for adding this is resolve the issue raised on GitHub 1006
[1]. GOV.UK doesn't directly need this as it doesn't make use of client
side requests to the Content Store and, if it did, they'd be from the
same host. However this is added in to reflect that this is indeed a
partially supported public API [2] and that we are not concerned with JS
clients calling it from a different host.

I only put this on the one endpoint as there didn't seem to be any need
to have it on endpoints other than ContentItems#show. I also didn't
implement the HTTP OPTIONS method for the endpoint as I don't think it's
strictly needed and can't see evidence of this enabled on other GOV.UK
cross-origin endpoints:

➜  ~ curl -sI -X OPTIONS https://www.gov.uk/api/search.json\?fields\=publishing_app\&filter_publishing_app\=publisher\&filter_first_published_at\=from:2022-09-01,to:2022-09-30 | grep HTTP
HTTP/2 404

[1]: #1006
[2]: https://content-api.publishing.service.gov.uk/
@kevindew kevindew mentioned this issue Nov 14, 2022
Merged
@kevindew
Copy link
Member

I don't think a need has ever come up before, I've opened #1011 to add the header as it seems like it should allow this.

I can't make any guarantees for future consistency on this, I don't think anyone is taking our API offerings seriously as external resources.

@NickColley
Copy link
Author

That is very reasonable, appreciate your time Kevin!

@aldavidson
Copy link
Contributor

Can we close this issue since #1011 was merged?

@NickColley
Copy link
Author

Yes it all is working!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aldavidson @kevindew @NickColley