Skip to content

Add CORS header ('Access-Control-Allow-Origin') to public APIs#327

Merged
thebaer merged 1 commit into
writefreely:developfrom
Dar13:add-cors-headers-public-api
Sep 1, 2020
Merged

Add CORS header ('Access-Control-Allow-Origin') to public APIs#327
thebaer merged 1 commit into
writefreely:developfrom
Dar13:add-cors-headers-public-api

Conversation

@Dar13
Copy link
Copy Markdown
Contributor

@Dar13 Dar13 commented Jun 21, 2020

This permits external websites to query WriteFreely instances for:

  • Collections
  • Public posts in collections
  • Specific public posts.

Without these changes, websites attempting to use the public API to query collections (such as my site: moor3.xyz, source) will receive CORS errors. @cjeller1592 helped me in the past with a CORS proxy (discussion), but it's time to fix it at the source.

I consider this PR to be more like an RFC, I'm fully open to guidance/critique on how to make these changes acceptable.

  • I have signed the CLA

@thebaer
Copy link
Copy Markdown
Member

thebaer commented Jun 22, 2020

Thank you for taking this on! I agree we should fix this in the application, and these are probably the most important API endpoints to do this on.

One thing that jumps out at me: as it stands, the header will only be set on successful responses. If an error is returned in any of these funcs, it bubbles up to the Handler.All() middleware and the Access-Control-Allow-Origin header is never set.

So a better place for these additions might be in the Handler.All() method (or a modified version, or a new variation of it), somewhere before this line: https://github.com/writeas/writefreely/blob/5c94d23466dc3e7e1821b845d9d7db9294c48af4/handle.go#L541

@Dar13
Add CORS header ('Access-Control-Allow-Origin') to 'AllReader'
94bcb91 
Allows all API endpoints using 'AllReader' to be queryable by any
origin.
@Dar13 Dar13 force-pushed the add-cors-headers-public-api branch from b57a4cb to 94bcb91 Compare June 24, 2020 00:35
@Dar13
Copy link
Copy Markdown
Contributor Author

Dar13 commented Jun 24, 2020
edited
Loading

So a better place for these additions might be in the Handler.All() method (or a modified version, or a new variation of it), somewhere before this line

It seems AllReader is a suitable place only GET requests use it currently. Those endpoints are (as best as I can tell) also endpoints that don't require authentication if the instance is public. I've adjusted the patch in this PR accordingly.

For authenticated endpoints I think a more fully-fleshed out approach is needed, such as users choosing which origin(s) are permitted to query/update/post/etc among others.

@thebaer thebaer added this to the 0.13 milestone Jul 23, 2020
@thebaer
Copy link
Copy Markdown
Member

thebaer commented Sep 1, 2020

Sorry for the delay on this! I agree, the AllReader method is a good place for the header that should cover most basic needs.

Beyond that, we can definitely expand on this with better customization in the future. If you'd like to get that discussion started, please feel free to start a topic on the forum!

Merging now -- thanks again for contributing!

@thebaer thebaer merged commit f75d4cb into writefreely:develop Sep 1, 2020
@Dar13 Dar13 deleted the add-cors-headers-public-api branch September 30, 2020 00:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

0.13

Development

Successfully merging this pull request may close these issues.

2 participants

@Dar13 @thebaer