Add Access-Control-Allow-Origin: * to JSON responses for anonymous search requests

[hubgit]

I'd like to be able to search the API for annotations of the current page, in client-side Javascript.

Currently there's no Access-Control-Allow-Origin: * header on the JSON response, so it's not possible to call the API from a different domain (unlike via.hypothes.is, which is able to call the API as it's on the same domain).

As the search results are sometimes filtered according to the current user, and the Access-Control-Allow-Origin: * prevents the response to authenticated requests being read, the header should only be added to anonymous requests (meaning that only non-authenticated requests would be readable cross-domain).

I think it needs to be added somewhere around https://github.com/hypothesis/h/blob/master/h/api/views.py#L77

[judell]

Thanks Alf, good call, we like this.

[wagoodman]

I believe you need request.response.headers["Access-Control-Allow-Origin"] = "*"
before the return statement.

[tilgovi]

We also need to support the OPTIONS request. This is probably best handled with a view decorator or a tween.

[BigBlueHat]

@hubgit @wagoodman rather than wait for us to get this through our queue, I'd recommend setting up a CORS proxy to handle requests to the Hypothes.is API.

corsproxy is a good one if you're running Node.js.

You could also test with these plubic CORS proxy (though YMMV):
https://jsonp.afeld.me/
http://cors.maxogden.com/

Hopefully that'll let you keep hacking while you wait on us. 😸

[tilgovi]

Or make a pull request :-D

[BigBlueHat]

Oh right! or that. 😉

[hubgit]

We also need to support the OPTIONS request.

I don't think it's necessary to support OPTIONS for GET requests.