New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable CORS by default #114

Open
marcenuc opened this Issue Dec 1, 2015 · 9 comments

Comments

Projects
None yet
4 participants
@marcenuc

marcenuc commented Dec 1, 2015

I have created a new project with:

stack new myproject yesod-scaffold/hsfiles/postgres.hsfiles
cd myproject
stack build
stack exec -- yesod devel
open http://localhost:3000/

The glyphicons are not displayed correctly because CORS is not properly setup. Then I have installed the wai-cors package as explained in yesodweb/yesod-cookbook#2 and now it works.

I think this should be in the default setup because the home page has glyphicons.

Are you open to a pull-request?

@snoyberg

This comment has been minimized.

Show comment
Hide comment
@snoyberg

snoyberg Dec 3, 2015

Member

Enabling CORS has security implications, and therefore IMO should not be something we turn on by default.

Member

snoyberg commented Dec 3, 2015

Enabling CORS has security implications, and therefore IMO should not be something we turn on by default.

@marcenuc

This comment has been minimized.

Show comment
Hide comment
@marcenuc

marcenuc Dec 4, 2015

OK, the default configuration should be secure.

But the default configuration should also work, without errors, because any error gives the impression that something went wrong during setup.

Being a newcomer, I have lost a lot of time trying to figure out what I have done wrong, just to discover that it was a known "feature". :-)

Maybe we should add a warning message to homepage.hamlet saying why glyphicons are not working and how to fix it.

marcenuc commented Dec 4, 2015

OK, the default configuration should be secure.

But the default configuration should also work, without errors, because any error gives the impression that something went wrong during setup.

Being a newcomer, I have lost a lot of time trying to figure out what I have done wrong, just to discover that it was a known "feature". :-)

Maybe we should add a warning message to homepage.hamlet saying why glyphicons are not working and how to fix it.

@snoyberg

This comment has been minimized.

Show comment
Hide comment
@snoyberg

snoyberg Dec 4, 2015

Member

I don't see any errors, and wouldn't expect to need CORS at all in the scaffolded setup, since the assets are being served (in principle) from the same domain name. It's possible that you're accessing the site over one address (e.g., 127.0.0.1) while the generated URLs are something else (e.g., localhost). If you provide more information on what errors you're seeing, that would be useful.

Member

snoyberg commented Dec 4, 2015

I don't see any errors, and wouldn't expect to need CORS at all in the scaffolded setup, since the assets are being served (in principle) from the same domain name. It's possible that you're accessing the site over one address (e.g., 127.0.0.1) while the generated URLs are something else (e.g., localhost). If you provide more information on what errors you're seeing, that would be useful.

@marcenuc

This comment has been minimized.

Show comment
Hide comment
@marcenuc

marcenuc Dec 4, 2015

You are right, the problem is in the URL I am using. The problem is with http://127.0.0.1:3000 (you may need to force reload of the page with Ctrl+Shif+R, because the fonts may be cached). With http://localhost:3000 it works fine.

Then the error is in the messages printed by yesod on start:

$ stack exec -- yesod devel
Yesod devel server. Type 'quit' to quit
Application can be accessed at:

http://127.0.0.1:3000
https://127.0.0.1:3443
If you wish to test https capabilities, you should set the following variable:
  export APPROOT=https://127.0.0.1:3443

Later it says: Devel application launched: http://localhost:3000. But this is less visible because it is intermixed with the messages of database migrations.

marcenuc commented Dec 4, 2015

You are right, the problem is in the URL I am using. The problem is with http://127.0.0.1:3000 (you may need to force reload of the page with Ctrl+Shif+R, because the fonts may be cached). With http://localhost:3000 it works fine.

Then the error is in the messages printed by yesod on start:

$ stack exec -- yesod devel
Yesod devel server. Type 'quit' to quit
Application can be accessed at:

http://127.0.0.1:3000
https://127.0.0.1:3443
If you wish to test https capabilities, you should set the following variable:
  export APPROOT=https://127.0.0.1:3443

Later it says: Devel application launched: http://localhost:3000. But this is less visible because it is intermixed with the messages of database migrations.

snoyberg added a commit that referenced this issue Dec 4, 2015

@snoyberg

This comment has been minimized.

Show comment
Hide comment
@snoyberg

snoyberg Dec 4, 2015

Member

I've just pushed a commit to the scaffolding (postgres branch) that switches the default behavior from a hard-coded application root to guessing the application root from the request. However, there seems to be a problem with this an the https server, which I'll need to check next week.

Member

snoyberg commented Dec 4, 2015

I've just pushed a commit to the scaffolding (postgres branch) that switches the default behavior from a hard-coded application root to guessing the application root from the request. However, there seems to be a problem with this an the https server, which I'll need to check next week.

@snoyberg

This comment has been minimized.

Show comment
Hide comment
@snoyberg

snoyberg Dec 6, 2015

Member

I've identified the issue with TLS, which is a bug in warp-tls: yesodweb/wai#478

Other than that, I believe switching the scaffolding over to guessApproot is the right approach. I'll also update yesod-bin to use localhost instead of 127.0.0.1, though that shouldn't have any meaningful impact anymore.

Member

snoyberg commented Dec 6, 2015

I've identified the issue with TLS, which is a bug in warp-tls: yesodweb/wai#478

Other than that, I believe switching the scaffolding over to guessApproot is the right approach. I'll also update yesod-bin to use localhost instead of 127.0.0.1, though that shouldn't have any meaningful impact anymore.

snoyberg added a commit to yesodweb/yesod that referenced this issue Dec 6, 2015

snoyberg added a commit to yesodweb/yesod that referenced this issue Dec 6, 2015

snoyberg added a commit to yesodweb/yesod that referenced this issue Dec 6, 2015

@bsima

This comment has been minimized.

Show comment
Hide comment
@bsima

bsima Mar 14, 2018

What is the recommended way to handle CORS with a static subsite like static.example.com?

bsima commented Mar 14, 2018

What is the recommended way to handle CORS with a static subsite like static.example.com?

@MaxGabriel

This comment has been minimized.

Show comment
Hide comment
@MaxGabriel

MaxGabriel Mar 14, 2018

Member

Not sure if it’s the best way, but you can use the wai-cors package to add headers to allow the browser to access those resources

Member

MaxGabriel commented Mar 14, 2018

Not sure if it’s the best way, but you can use the wai-cors package to add headers to allow the browser to access those resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment