Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CORS header ('Access-Control-Allow-Origin') to public APIs #327

Open
wants to merge 1 commit into
base: develop
from

Conversation

@Dar13
Copy link

Dar13 commented Jun 21, 2020

This permits external websites to query WriteFreely instances for:

  • Collections
  • Public posts in collections
  • Specific public posts.

Without these changes, websites attempting to use the public API to query collections (such as my site: moor3.xyz, source) will receive CORS errors. @cjeller1592 helped me in the past with a CORS proxy (discussion), but it's time to fix it at the source.

I consider this PR to be more like an RFC, I'm fully open to guidance/critique on how to make these changes acceptable.


  • I have signed the CLA
@thebaer
Copy link
Member

thebaer commented Jun 22, 2020

Thank you for taking this on! I agree we should fix this in the application, and these are probably the most important API endpoints to do this on.

One thing that jumps out at me: as it stands, the header will only be set on successful responses. If an error is returned in any of these funcs, it bubbles up to the Handler.All() middleware and the Access-Control-Allow-Origin header is never set.

So a better place for these additions might be in the Handler.All() method (or a modified version, or a new variation of it), somewhere before this line:

err := f(h.app.App(), w, r)

Allows all API endpoints using 'AllReader' to be queryable by any
origin.
@Dar13 Dar13 force-pushed the Dar13:add-cors-headers-public-api branch from b57a4cb to 94bcb91 Jun 24, 2020
@Dar13
Copy link
Author

Dar13 commented Jun 24, 2020

So a better place for these additions might be in the Handler.All() method (or a modified version, or a new variation of it), somewhere before this line

It seems AllReader is a suitable place only GET requests use it currently. Those endpoints are (as best as I can tell) also endpoints that don't require authentication if the instance is public. I've adjusted the patch in this PR accordingly.

For authenticated endpoints I think a more fully-fleshed out approach is needed, such as users choosing which origin(s) are permitted to query/update/post/etc among others.

@thebaer thebaer added this to the 0.13 milestone Jul 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.