[Feature] Include CORS policy for remote API to allow cross-site request #62
Comments
|
For reference, see the commit in my fork here: |
|
bump |
|
Describe the bug I'm facing this bug: To Reproduce Open Kenku FM Screenshots Desktop (please complete the following information): OS: MacOS Please consider adding flag in setting to allow CORS for integrations. |
Hi,
I'm using Kenku to provide music to for my (Foundry) VTT-based game in Discord.
Preferrably I'd like to control the music & sounds from within the VTT, which is in theory possible using JavaScript-based Macros that make calls to the Kenku API.
However since fastify does not sent any CORS headers, most if not all current browsers will not allow requests from the domain where my VTT is hosted to localhost where Kenku is running.
I was able to add the required headers by forking the project, but I would prefer it if this possibility could be incorporated into the mainline branch.
From a security point of view, the approach I've taken in my fork (allowing CORS requests from all domains) is quite "quick and dirty". For integrating this into the upstream it should at least be optional (that is, CORS requests have to be enabled explicitly in the API settings) or, even better, have a configurable domain name in the API settings for which CORS requests are allowed.
I would gladly implement the required configuration, but the policy states no feature PRs are accepted so I did not (yet ) see much sense in that.
The text was updated successfully, but these errors were encountered: