HTTP CORS

[danielweck]

Just a heads-up: although your test server does not emit HTTP CORS headers (which would make sense, as a reading system app would most likely be hosted on a different domain, distinct from the content server's origin), you can use a proxy such as https://crossorigin.me , for example:

https://proto.myopds.com/manifest/mobydick.epub/manifest.json

content-type →text/plain; charset=utf-8
date →Wed, 12 Oct 2016 14:37:50 GMT
server →Caddy
status →200
vary →Origin

vs.

https://crossorigin.me/https://proto.myopds.com/manifest/mobydick.epub/manifest.json

access-control-allow-credentials →false
access-control-allow-headers →Content-Type, X-Requested-With
access-control-allow-origin →*
cf-ray →2f0b508a2d2d360e-LHR
content-encoding →gzip
content-type →text/plain; charset=utf-8
date →Wed, 12 Oct 2016 14:41:47 GMT
expires →Thu, 13 Oct 2016 14:41:46 GMT
server →cloudflare-nginx
status →200

[danielweck]

Obviously, the emitted Content-Type header is preserved through the proxy, e.g.

https://proto.myopds.com/assets/mobydick.epub/about.xml
same as:
https://crossorigin.me/https://proto.myopds.com/assets/mobydick.epub/about.xml

content-type →application/xhtml+xml

[banux]

Thanks for the return. I think Caddy with the cors module (https://caddyserver.com/docs/cors) overwrite the negroni cors middleware plugin. I will check tonight to use directly the ACME protocole or use another proxy.

[danielweck]

Oh yes, I see:
https://github.com/banux/webpub-streamer/blob/master/main.go#L48

    n := negroni.Classic()
    c := cors.New(cors.Options{
        AllowedOrigins: []string{"*"},
    })
    n.Use(c)

PS: do you deploy webpub-streamer via a Docker configured with Caddy?

[banux]

It is just a quick deploy on digital ocean, i just push a direct support for let's encrypt so no more caddy.

[HadrienGardeur]

@danielweck can you confirm that it's all good on your side now ?

[danielweck]

Re.:
7c8fadf

//https://github.com/rs/cors#parameters
c := cors.New(cors.Options{
AllowedOrigins: []string{"*"},
AllowedMethods: []string{"POST", "GET", "OPTIONS", "PUT", "DELETE"},
Debug: true,
})
n.Use(c)

...in another Go project, I also ended-up not using the Negroni CORS middleware plugin, and instead I "manually" set additional HTTP headers.
That's because in my particular case, the processing of the origin header by the CORS Negroni plugin was "getting in the way" (during tests, my HTTP clients do not necessarily produce the required headers in their requests, yet I need responses always with the origin-allowed header):
https://github.com/rs/cors/blob/master/cors.go#L305

Anyway, just as a heads-up, here's how I centralized the CORS headers in my Go code:

n.Use(negroni.HandlerFunc(CORSHeaders))

func CORSHeaders(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {

    grohl.Log(grohl.Data{"CORS": "yes"})
    rw.Header().Add("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE")
    rw.Header().Add("Access-Control-Allow-Origin", "*")

    // before
    next(rw, r)
    // after

    // noop
}