Skip to content
This repository was archived by the owner on Jun 27, 2023. It is now read-only.
This repository was archived by the owner on Jun 27, 2023. It is now read-only.

Avoid usage of Access-Control-Allow-Origin:* when possible #118

Description

@slorber

See reasons here:
linkeddata/rdflib.js#35

XMLHttpRequest cannot load https://www.stample.io/srv/cors?url=http%3A%2F%2Fbblfish.net%2Fpeople%2Fhenry%2Fcard. 
Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. 
It must be 'true' to allow credentials.

It seems the credentials flag is required for Firefox. Since this flag is added in RDFLib the responses for other domain resources must add a new Access-Control-Allow-Credentials: true.

But with this flag, we can't use a wildcard for Access-Control-Allow-Origin

OPTIONS https://sebas5.stample.io/card 
Wildcards cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. 
Origin 'http://cimba.co' is therefore not allowed access. jquery.min.js:5

So, for requests on other domains with credentials flag = true (now it's rdflib.js default)

This works:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:https://sebastien1.localhost:8443

This doesn't work:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:*

So I think we should try to avoid using the wildcard when it's possible and fix the allowed domains.

For serving RWW resources we should probably use the acl:origin (with a fallback to request Origin header maybe?). I don't see this implemented yet and it seems we use a * in controllers.ldp.ReadWriteWebControllerGeneric#writeGetResult

For the CORS proxy we should probably do something similar. The actual code handles it not so badly: Access-Control-Allow-Origin: {value sent by remote resource, falling back to request Origin header value, falling back to *}, except for error handling so error body may not be available to the client.

What do you think @bblfish

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions