On Wed, 30 Dec 2020 02:03:39 +0200
Lassi Kortela <xxxxxx@lassi.io> wrote:

> > scheme.org need to provide special HTTP headers to make it work. There
> > probably will be no login of any kind of this website, so it would be
> > safe to just add CORS to main website.
>
> Some of the subdomains will probably have parts that require a login
> eventually. For example, a forum, wiki or some kind of demo. In
> particular, if Scheme implementations hosts their websites under
> scheme.org, we should give them the liberty to install their own,
> forums, wikis, mailing list management software and the like.
>
> > The only thing that need to be done is this HTTP header:
> >
> > 	Access-Control-Allow-Origin: *
> >
> > it will make possible to send request to scheme.org from any website using
> > Ajax.
> >
> > One note it may require to allow HTTP method OPTIONS that also return this
> > header. Some Ajax calls send two requests first OPTIONS method, if it have
> > CORS headers then second proper GET or POST request is sent. I'm not
> > exactly sure now when this may happen. Maybe it happen when you send POST
> > request.
> >
> > It would be nice also if api also return that header, so it can be used in
> > browser as well. There is probably no need for other domains to return
> > that header though.
>
> This sounds like something with quite broad and possibly hard-to-predict
> security implications if we apply it to the whole scheme.org.
>
> Would it be enough if we have CORS for api.scheme.org only? Then API
> calls could be made from any domain.
>
> If you want an example that returns some HTML to Lips, we can add an API
> endpoint that returns HTML.

By main website I mean only https://scheme.org on main domain there will
probably be no login of any kind, it will be static website with links to
other domains. Also it's important for https://api.scheme.org to have
CROS headers, so you can use the API from browser.

--
Jakub T. Jankiewicz, Web Developer
https://jcubic.pl/me