See reasons here:
linkeddata/rdflib.js#35
XMLHttpRequest cannot load https://www.stample.io/srv/cors?url=http%3A%2F%2Fbblfish.net%2Fpeople%2Fhenry%2Fcard.
Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''.
It must be 'true' to allow credentials.
It seems the credentials flag is required for Firefox. Since this flag is added in RDFLib the responses for other domain resources must add a new Access-Control-Allow-Credentials: true.
But with this flag, we can't use a wildcard for Access-Control-Allow-Origin
OPTIONS https://sebas5.stample.io/card
Wildcards cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true.
Origin 'http://cimba.co' is therefore not allowed access. jquery.min.js:5
So, for requests on other domains with credentials flag = true (now it's rdflib.js default)
This works:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:https://sebastien1.localhost:8443
This doesn't work:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:*
So I think we should try to avoid using the wildcard when it's possible and fix the allowed domains.
For serving RWW resources we should probably use the acl:origin (with a fallback to request Origin header maybe?). I don't see this implemented yet and it seems we use a * in controllers.ldp.ReadWriteWebControllerGeneric#writeGetResult
For the CORS proxy we should probably do something similar. The actual code handles it not so badly: Access-Control-Allow-Origin: {value sent by remote resource, falling back to request Origin header value, falling back to *}, except for error handling so error body may not be available to the client.
What do you think @bblfish
See reasons here:
linkeddata/rdflib.js#35
It seems the credentials flag is required for Firefox. Since this flag is added in RDFLib the responses for other domain resources must add a new
Access-Control-Allow-Credentials: true.But with this flag, we can't use a wildcard for
Access-Control-Allow-OriginSo, for requests on other domains with credentials flag = true (now it's rdflib.js default)
This works:
This doesn't work:
So I think we should try to avoid using the wildcard when it's possible and fix the allowed domains.
For serving RWW resources we should probably use the
acl:origin(with a fallback to request Origin header maybe?). I don't see this implemented yet and it seems we use a*incontrollers.ldp.ReadWriteWebControllerGeneric#writeGetResultFor the CORS proxy we should probably do something similar. The actual code handles it not so badly:
Access-Control-Allow-Origin: {value sent by remote resource, falling back to request Origin header value, falling back to *}, except for error handling so error body may not be available to the client.What do you think @bblfish