New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS header ‘Access-Control-Allow-Origin’ missing #1006
Comments
kevindew
added a commit
that referenced
this issue
Nov 14, 2022
This addresses #1006 This sets a `Access-Control-Allow-Origin: *` header on HTTP responses to the show endpoint, this will allow requests to this API to originate (via JS) from hosts other than www.gov.uk. The reason for adding this is resolve the issue raised on GitHub 1006 [1]. GOV.UK doesn't directly need this as it doesn't make use of client side requests to the Content Store and, if it did, they'd be from the same host. However this is added in to reflect that this is indeed a partially supported public API [2] and that we are not concerned with JS clients calling it from a different host. I only put this on the one endpoint as there didn't seem to be any need to have it on endpoints other than ContentItems#show. I also didn't implement the HTTP OPTIONS method for the endpoint as I don't think it's strictly needed and can't see evidence of this enabled on other GOV.UK cross-origin endpoints: ➜ ~ curl -sI -X OPTIONS https://www.gov.uk/api/search.json\?fields\=publishing_app\&filter_publishing_app\=publisher\&filter_first_published_at\=from:2022-09-01,to:2022-09-30 | grep HTTP HTTP/2 404 [1]: #1006 [2]: https://content-api.publishing.service.gov.uk/
I don't think a need has ever come up before, I've opened #1011 to add the header as it seems like it should allow this. I can't make any guarantees for future consistency on this, I don't think anyone is taking our API offerings seriously as external resources. |
That is very reasonable, appreciate your time Kevin! |
Can we close this issue since #1011 was merged? |
Yes it all is working! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have built a JavaScript API for the Search API and Content APIi, but there is an inconsistency between the two.
In Node.js both succeed as expected.
In the browser only Search API succeeds.
This is because Content API does not have the correct headers set to allow for client-side requests.
https://jsbin.com/cidexadexu/edit?html,console,output
Browser console:
cc @kevindew thoughts on this? :)
The text was updated successfully, but these errors were encountered: