Proposal: generate default config with cors.allow_origin = "*" #1061
Comments
|
This is related to this #1004 Also, maybe we could change the 401 to 403 (Forbidden) |
|
We had this very long ago but thought it was a bad idea to have default values that were insecure. Maybe the cookie cutter that creates settings makes this setting explicit? |
oh ok
yes, that's the case https://github.com/plone/guillotina/blob/master/guillotina/cookiecutter/application/%7B%7Bcookiecutter.package_name%7D%7D/config.yaml#L23-L25 |
|
Maybe have the default insecure with a logging message warning about it? |
|
Sounds good to me! I'll open a PR later |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The idea is to make easier to start developing with guillotina and a frontend. Right now guillotina returns a 401 (Unauthorized) when origin is not allowed, and because this is returned from a OPTIONS it's not possible to provide a nice message to distinguish the cors error from a authentication error.
I think most frameworks doesn't have CORS enabled by default and probably the CORS would be managed by a reverse proxy when guillotina is deployed in production, so I think making this opt-in would be better.
What do you think?
The text was updated successfully, but these errors were encountered: