Re: Example website with CORS Lassi Kortela 30 Dec 2020 00:03 UTC
> scheme.org need to provide special HTTP headers to make it work. There
> probably will be no login of any kind of this website, so it would be safe to
> just add CORS to main website.
Some of the subdomains will probably have parts that require a login
eventually. For example, a forum, wiki or some kind of demo. In
particular, if Scheme implementations hosts their websites under
scheme.org, we should give them the liberty to install their own,
forums, wikis, mailing list management software and the like.
> The only thing that need to be done is this HTTP header:
>
> Access-Control-Allow-Origin: *
>
> it will make possible to send request to scheme.org from any website using
> Ajax.
>
> One note it may require to allow HTTP method OPTIONS that also return this
> header. Some Ajax calls send two requests first OPTIONS method, if it have
> CORS headers then second proper GET or POST request is sent. I'm not exactly
> sure now when this may happen. Maybe it happen when you send POST request.
>
> It would be nice also if api also return that header, so it can be used in
> browser as well. There is probably no need for other domains to return that
> header though.
This sounds like something with quite broad and possibly hard-to-predict
security implications if we apply it to the whole scheme.org.
Would it be enough if we have CORS for api.scheme.org only? Then API
calls could be made from any domain.
If you want an example that returns some HTML to Lips, we can add an API
endpoint that returns HTML.