Discourse API: Allow CORS access

[davidgraeff]

At the moment the community forum API cannot be accessed form a client (browser) app directly.
Would it be viable to add the required CORS headers for access? A rate limit can of course be applied.

[davidgraeff]

I like to extend this request to include https://www.openhab.org/addons

[davidgraeff]

Ehm guys, WDYT?
@ghys @Confectrician

[ghys]

For Discourse, you can PM your case to @admins for review. This repo is only for the static website, not the forum.

I'm not in favor of it, it's strongly discouraged (https://meta.discourse.org/t/what-are-the-risks-of-enabling-cross-origin-resource-sharing-discourse-enable-cors/41248).
I'm aware the CORS spec disallows requests with credentials if Access-Control-Allow-Origin is set to * but it's still a bad idea IMO. Cross-domain access should be only reserved to benign, trustworthy domains under the openHAB Foundation's control.

As an alternative, you can take a look at the HABPanel widget gallery implementation https://github.com/openhab/org.openhab.ui.habpanel/tree/master/src/main/java/org/openhab/ui/habpanel/internal/gallery/community for an example of how to retrieve public data from Discourse with a server-side proxy.

As for this website, it's a lesser risk, but it's just static HTML and JS, cross-domain requests are usually for APIs and this site doesn't have one... can you explain your use case?

[davidgraeff]

can you explain your use case?

Of course. My Paper UI design study.

• I'm fetching community topics from the forum. I'm using a heroku proxy at the moment, so with or without cors I'll generate the same traffic. But with cors, the forum software could apply specific rate limiting. (I could imagine that the general access could be denied, but a special http header signals that it is openHab related software. Might help a bit.)

• I'm showing inline documentation, fetched from /docs and /addons.

See http://davidgraeff.github.io/paperui-ng/

[ghys]

I'll generate the same traffic. But with cors, the forum software could apply specific rate limiting.

It's not about web traffic, it's about preserving the forum users' security and preventing random malicious sites from performing damaging requests on their behalf, or for spamming etc. CORS is vitally important for this.

I'm showing inline documentation, fetched from /docs and /addons.

You mean you want to extract the content from the pages, remove the headers and so on? That's kind of dirty :)

[davidgraeff]

You mean you want to extract the content from the pages, remove the headers and so on? That's kind of dirty

I'm already doing it xD. And yeah I know, I could use the github content directly (and I'm doing that in other occasions), but the website script has already crawled everything together for me in this case. Would be even more awesome if the website crawler script could generate .json files for machine consumption.

[davidgraeff]

It's not about web traffic

Oh I thought it is about traffic only. I only need to issue GET requests. We could enable CORS for GET only for non-openhab domains.

[ghys]

Still an issue, you can access sensible information (e.g. private messages) with GET requests.

[davidgraeff]

But as you stated, authentication headers (actually no headers at all) and also cookies are not allowed with CORS in the default settings.

[davidgraeff]

What is the situation now?
With these headers it should be safe:

    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow_Credentials' 'false' always;
    add_header 'Access-Control-Allow-Headers' 'Accept,Origin,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
    add_header 'Access-Control-Allow-Methods' 'GET' always;

[davidgraeff]

Friendly reminder ^^

[ghys]

Again, this is the website's repo, it has nothing to do with Discourse.
The list of admins which you should PM is at https://community.openhab.org/about (you can't message the group) and I believe it's @digitaldan who's doing the day-to-day maintenance.
As for the add-ons and docs I still don't believe allowing client-side scraping the website's HTML and embedding its content in an app is a valid approach. If there's a JSON file eventually generated with the needed info (e.g. the source URL on GitHub with the Markdown source for a particular page) we can then allow access to that and that only.

[davidgraeff]

But yannick, that is all I wanted to know. You are not wanting to give access to the HTML pages, but you would accept to access a generated JSON file.

Thanks :)

[ghys]

That's because your original request was mainly about Discourse ;) and I didn't know if those able to grant or deny you that request were listening here or not. I personally don't have access to the Discourse server's configuration (only the in-app admin area).