Add CORS header ('Access-Control-Allow-Origin') to public APIs #327
Conversation
|
Thank you for taking this on! I agree we should fix this in the application, and these are probably the most important API endpoints to do this on. One thing that jumps out at me: as it stands, the header will only be set on successful responses. If an So a better place for these additions might be in the |
Allows all API endpoints using 'AllReader' to be queryable by any origin.
Dar13
force-pushed
the
add-cors-headers-public-api
branch
from
b57a4cb
to
94bcb91
Compare
It seems For authenticated endpoints I think a more fully-fleshed out approach is needed, such as users choosing which origin(s) are permitted to query/update/post/etc among others. |
|
Sorry for the delay on this! I agree, the Beyond that, we can definitely expand on this with better customization in the future. If you'd like to get that discussion started, please feel free to start a topic on the forum! Merging now -- thanks again for contributing! |
This permits external websites to query WriteFreely instances for:
Without these changes, websites attempting to use the public API to query collections (such as my site: moor3.xyz, source) will receive CORS errors. @cjeller1592 helped me in the past with a CORS proxy (discussion), but it's time to fix it at the source.
I consider this PR to be more like an RFC, I'm fully open to guidance/critique on how to make these changes acceptable.