Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot access Atom feeds from Javascript (CORS issue) #6329

CaptainSpam opened this issue Jan 22, 2018 · 4 comments


None yet
6 participants
Copy link

commented Jan 22, 2018

I'm working on a simple StatusNet (GNU Social, Mastodon, etc) Javascript widget, so one could, for instance, embed a StatusNet feed into a website. It's mostly for my own use on my own server, but I'm trying to make it as useful as possible for people with other setups than I use.

The way I have it set up, you give the widget an Atom feed, it downloads it, and it formats the posts. This works fine on my GNU Social setup, but it fails on any Mastodon instance I try it on, owing to the Atom feeds not being sent with Access-Control-Allow-Origin headers. Javascript refuses to do anything with that for (very good) security reasons.

I'll admit I haven't done much work involving Javascript reading data from remote APIs like this, so this may seem like a naive question, but is there a specific reason why Mastodon doesn't return that header when fetching a user's Atom feed? And if not, would it be possible to update it to do so?

I'm not currently running a Mastodon instance; this is just from the perspective of a developer reading data from a feed.

  • I searched or browsed the repo’s other issues to ensure this is not a duplicate.
  • This bug happens on a tagged release and not on master (If you're a user, don't worry about this).

This comment has been minimized.

Copy link

commented Jan 22, 2018


This comment has been minimized.

Copy link

commented Jan 23, 2018

Note that browsers won't send credentials (i.e. cookies) on cross-origin requests unless the server allowed explicitly via exposes Access-Control-Allow-Credentials header. Also we've already allowed basic CORS on some routes including REST APIs.

config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '/@:username', headers: :any, methods: [:get], credentials: false
resource '/api/*', headers: :any, methods: [:post, :put, :delete, :get, :patch, :options], credentials: false, expose: ['Link', 'X-RateLimit-Reset', 'X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Request-Id']
resource '/oauth/token', headers: :any, methods: [:post], credentials: false

@Gargron Gargron added the bug label Oct 20, 2018


This comment has been minimized.

Copy link

commented Oct 24, 2018

Same issue for ActivityPub endpoints


This comment has been minimized.

Copy link

commented Nov 2, 2018

Same issue for the status embed endpoint.

For example:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.