-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CORS middleware handler to the API. #1215
Conversation
@@ -8,6 +8,8 @@ import ( | |||
"strconv" | |||
"strings" | |||
|
|||
"github.com/rs/cors" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needs to be vendored. run make vendor
in project root.
you may have to godep restore
or manually go get
dependencies for it to work correctly, i believe.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, thanks.
👍 for tests! this is a good change IMO. i wonder about the handler wrapper-- feels clunky to me. wonder if maybe we can use the parts of the library instead of the handler wrapper. @cryptix PTAL? |
Okay, i'll just merge this in. |
Add CORS middleware handler to the API.
So what is the current status regarding CORS in IPFS? I'd like to enable simple wildcard CORS headers in the daemon, until such time an authenticated API is available. In particular I want to be serving Federated Wiki from IPFS, mixing content freely with other CORS enabled Fedwiki sites. |
@opn this should be working, but as i'm curling the gateway and my local node, i'm not seeing the proper headers: WIP, hit enter too early. |
@opn you're right, we're missing CORS headers on the gateway. The above CORS headers were added to the API route only. We need to add a CORS handler thing similar to this PR but for the HTTP gateway. Relevant code:
> curl -X HEAD -I http://127.0.0.1:8080/ipfs/QmRwsK1Cgq44gtuigfU8VHveTY3aazYro73j8uZakDjpsR
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=29030400
Content-Length: 10
Content-Type: text/plain; charset=utf-8
Etag: QmRwsK1Cgq44gtuigfU8VHveTY3aazYro73j8uZakDjpsR
Last-Modified: Thu, 01 Jan 1970 00:00:01 GMT
Suborigin: QmRwsK1Cgq44gtuigfU8VHveTY3aazYro73j8uZakDjpsR
X-Ipfs-Path: /ipfs/QmRwsK1Cgq44gtuigfU8VHveTY3aazYro73j8uZakDjpsR
Date: Mon, 22 Jun 2015 01:37:14 GMT The CORS header code for the webui is here: |
(Also @opn, 👍 on getting federated wiki going on ipfs! We should try to get this CORS thing figured out for you this week, let us know if we can help with anything else on that front!) |
cc @NodeGuy @krl @travisperson Do we want the same CORS header setup for the gateway? Or something else? what are all the relevant security concerns here? Sidenote: the origin problem is tangential, but separate. We hope to address that with per-page suborigins once they land, using subdomains in the meantime. |
I don't see why not. |
I think it would be fine, but I'm not completely up to speed on the security issues around CORS. I understand what it is and what it does and how to use it, but that's about it really. I think it would be good to get @diasdavid thoughts on this as well. |
Fixes #1017 and #1049.