Example website with CORS
Jakub T. Jankiewicz
(13 Dec 2020 18:20 UTC)
|
Re: Example website with CORS
Lassi Kortela
(29 Dec 2020 23:09 UTC)
|
Re: Example website with CORS
Jakub T. Jankiewicz
(29 Dec 2020 23:57 UTC)
|
Re: Example website with CORS
Lassi Kortela
(30 Dec 2020 00:03 UTC)
|
Re: Example website with CORS Jakub T. Jankiewicz (30 Dec 2020 01:51 UTC)
|
Re: Example website with CORS Jakub T. Jankiewicz 30 Dec 2020 01:51 UTC
On Wed, 30 Dec 2020 02:03:39 +0200 Lassi Kortela <xxxxxx@lassi.io> wrote: > > scheme.org need to provide special HTTP headers to make it work. There > > probably will be no login of any kind of this website, so it would be > > safe to just add CORS to main website. > > Some of the subdomains will probably have parts that require a login > eventually. For example, a forum, wiki or some kind of demo. In > particular, if Scheme implementations hosts their websites under > scheme.org, we should give them the liberty to install their own, > forums, wikis, mailing list management software and the like. > > > The only thing that need to be done is this HTTP header: > > > > Access-Control-Allow-Origin: * > > > > it will make possible to send request to scheme.org from any website using > > Ajax. > > > > One note it may require to allow HTTP method OPTIONS that also return this > > header. Some Ajax calls send two requests first OPTIONS method, if it have > > CORS headers then second proper GET or POST request is sent. I'm not > > exactly sure now when this may happen. Maybe it happen when you send POST > > request. > > > > It would be nice also if api also return that header, so it can be used in > > browser as well. There is probably no need for other domains to return > > that header though. > > This sounds like something with quite broad and possibly hard-to-predict > security implications if we apply it to the whole scheme.org. > > Would it be enough if we have CORS for api.scheme.org only? Then API > calls could be made from any domain. > > If you want an example that returns some HTML to Lips, we can add an API > endpoint that returns HTML. By main website I mean only https://scheme.org on main domain there will probably be no login of any kind, it will be static website with links to other domains. Also it's important for https://api.scheme.org to have CROS headers, so you can use the API from browser. -- Jakub T. Jankiewicz, Web Developer https://jcubic.pl/me