Add CORS middleware handler to the API. #1215
Conversation
| @@ -8,6 +8,8 @@ import ( | |||
| "strconv" | |||
| "strings" | |||
|
|
|||
| "github.com/rs/cors" | |||
There was a problem hiding this comment.
needs to be vendored. run make vendor in project root.
you may have to godep restore or manually go get dependencies for it to work correctly, i believe.
|
👍 for tests! this is a good change IMO. i wonder about the handler wrapper-- feels clunky to me. wonder if maybe we can use the parts of the library instead of the handler wrapper. @cryptix PTAL? |
|
Okay, i'll just merge this in. |
Add CORS middleware handler to the API.
|
So what is the current status regarding CORS in IPFS? I'd like to enable simple wildcard CORS headers in the daemon, until such time an authenticated API is available. In particular I want to be serving Federated Wiki from IPFS, mixing content freely with other CORS enabled Fedwiki sites. |
|
@opn this should be working, but as i'm curling the gateway and my local node, i'm not seeing the proper headers: WIP, hit enter too early. |
|
@opn you're right, we're missing CORS headers on the gateway. The above CORS headers were added to the API route only. We need to add a CORS handler thing similar to this PR but for the HTTP gateway. Relevant code:
> curl -X HEAD -I http://127.0.0.1:8080/ipfs/QmRwsK1Cgq44gtuigfU8VHveTY3aazYro73j8uZakDjpsR
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=29030400
Content-Length: 10
Content-Type: text/plain; charset=utf-8
Etag: QmRwsK1Cgq44gtuigfU8VHveTY3aazYro73j8uZakDjpsR
Last-Modified: Thu, 01 Jan 1970 00:00:01 GMT
Suborigin: QmRwsK1Cgq44gtuigfU8VHveTY3aazYro73j8uZakDjpsR
X-Ipfs-Path: /ipfs/QmRwsK1Cgq44gtuigfU8VHveTY3aazYro73j8uZakDjpsR
Date: Mon, 22 Jun 2015 01:37:14 GMTThe CORS header code for the webui is here: |
|
(Also @opn, 👍 on getting federated wiki going on ipfs! We should try to get this CORS thing figured out for you this week, let us know if we can help with anything else on that front!) |
|
cc @NodeGuy @krl @travisperson Do we want the same CORS header setup for the gateway? Or something else? what are all the relevant security concerns here? Sidenote: the origin problem is tangential, but separate. We hope to address that with per-page suborigins once they land, using subdomains in the meantime. |
|
I don't see why not. |
|
I think it would be fine, but I'm not completely up to speed on the security issues around CORS. I understand what it is and what it does and how to use it, but that's about it really. I think it would be good to get @diasdavid thoughts on this as well. |
Fixes #1017 and #1049.