Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CORS header ('Access-Control-Allow-Origin') to public APIs #327

merged 1 commit into from Sep 1, 2020


Copy link

@Dar13 Dar13 commented Jun 21, 2020

This permits external websites to query WriteFreely instances for:

  • Collections
  • Public posts in collections
  • Specific public posts.

Without these changes, websites attempting to use the public API to query collections (such as my site:, source) will receive CORS errors. @cjeller1592 helped me in the past with a CORS proxy (discussion), but it's time to fix it at the source.

I consider this PR to be more like an RFC, I'm fully open to guidance/critique on how to make these changes acceptable.

  • I have signed the CLA

Copy link

thebaer commented Jun 22, 2020

Thank you for taking this on! I agree we should fix this in the application, and these are probably the most important API endpoints to do this on.

One thing that jumps out at me: as it stands, the header will only be set on successful responses. If an error is returned in any of these funcs, it bubbles up to the Handler.All() middleware and the Access-Control-Allow-Origin header is never set.

So a better place for these additions might be in the Handler.All() method (or a modified version, or a new variation of it), somewhere before this line:

Allows all API endpoints using 'AllReader' to be queryable by any
@Dar13 Dar13 force-pushed the add-cors-headers-public-api branch from b57a4cb to 94bcb91 Compare June 24, 2020 00:35
Copy link
Contributor Author

Dar13 commented Jun 24, 2020

So a better place for these additions might be in the Handler.All() method (or a modified version, or a new variation of it), somewhere before this line

It seems AllReader is a suitable place only GET requests use it currently. Those endpoints are (as best as I can tell) also endpoints that don't require authentication if the instance is public. I've adjusted the patch in this PR accordingly.

For authenticated endpoints I think a more fully-fleshed out approach is needed, such as users choosing which origin(s) are permitted to query/update/post/etc among others.

@thebaer thebaer added this to the 0.13 milestone Jul 23, 2020
Copy link

thebaer commented Sep 1, 2020

Sorry for the delay on this! I agree, the AllReader method is a good place for the header that should cover most basic needs.

Beyond that, we can definitely expand on this with better customization in the future. If you'd like to get that discussion started, please feel free to start a topic on the forum!

Merging now -- thanks again for contributing!

@thebaer thebaer merged commit f75d4cb into writefreely:develop Sep 1, 2020
@Dar13 Dar13 deleted the add-cors-headers-public-api branch September 30, 2020 00:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

Successfully merging this pull request may close these issues.

None yet

2 participants