Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate status of CORS #2412

Closed
danbri opened this issue Dec 3, 2019 · 7 comments
Closed

Investigate status of CORS #2412

danbri opened this issue Dec 3, 2019 · 7 comments
Assignees

Comments

@danbri
Copy link
Contributor

danbri commented Dec 3, 2019

@RichardWallis can you investigate status of our CORS implementation?

I'm hearing we have issues:

Did you know schema.org does not support OPTIONS method in HTTP and do not CORS? You can’t read an ontology term from a script. Supporting CORS on GET isn't a thing as CORS requires the browser to send a OPTIONS first

@danbri
Copy link
Contributor Author

danbri commented Dec 3, 2019

hmm I guess this should be in the other repo, sorry!

@RichardWallis
Copy link
Contributor

Addressed in sdopythonapp issue 6

Ready for test when a new version is uploaded to webschemas.org.

@danbri When it is, can you ask who you heard it from to try it out.

@danbri
Copy link
Contributor Author

danbri commented Jan 3, 2020

Ok, how does it look now?

@RichardWallis
Copy link
Contributor

curl -i -L -X OPTIONS http://webschemas.org

Returns what looks to be the correct output:

HTTP/2 204 
content-type: text/html; charset=utf-8
cache-control: no-cache
access-control-allow-origin: *
access-control-allow-methods: GET, HEAD, OPTIONS
....

Also if request includes an Origin header its value is used in the Access-Control-Allow-Origin response:
curl -i -L -H "Origin: http://example.com" -X GET http://webschemas.org

Returns

HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://example.com
Content-Type: text/html
...

@RubenVerborgh
Copy link

curl -i -L -X OPTIONS http://webschemas.org is missing

Access-Control-Allow-Headers: Accept, Accept-Language

or, at the very least just Accept.

The reason for this is that, even though Accept is safelisted (https://fetch.spec.whatwg.org/#no-cors-safelisted-request-header-name), it loses that status if its value contains more than 128 characters (https://fetch.spec.whatwg.org/#cors-safelisted-request-header). And 128 is not a lot for RDF-based clients if they start including all RDF variants in Accept. (Full discussion in whatwg/fetch#862)

@RichardWallis
Copy link
Contributor

Fixes applied in sdopythonapp ( schemaorg/sdopythonapp#6 (comment) )
Will ship with next schemaorg release (v7.0)

@RichardWallis
Copy link
Contributor

Apart from one outstanding issue comment All concerns addressed so closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants