New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated CORS headers #690
Updated CORS headers #690
Conversation
This change should also be made to the node service template, so it can be picked up by other services, like MCS. |
@berndsi Yep, that's the plan after we discuss this PR |
@@ -59,7 +59,8 @@ module.exports = function addCSPHeaders(hyper, req, next, options) { | |||
// Set up basic CORS headers | |||
rh['access-control-allow-origin'] = '*'; | |||
rh['access-control-allow-methods'] = 'GET'; | |||
rh['access-control-allow-headers'] = 'accept, content-type'; | |||
rh['access-control-allow-headers'] = | |||
'accept, accept-encoding, origin, accept-language, content-type'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's actually impossible to override origin
in clients, as it is part of verifying the domain comes from as part of the CORS system. Adding it here would just be confusing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gwicke Safari 9 sends it with an OPTIONS request. As I understand, normally you need to send back all the headers from OPTIONS preflight request to allow it and I couldn't find anything about Origin
header being somehow specific
Bug: https://phabricator.wikimedia.org/T148368
Also updated one test page location, it's been deleted on wikipedia, moved it to labs.
cc @wikimedia/services