Add guidance on CORS

Question

Add guidance on CORS

Opened this issue 4 years ago · 3 comments

berezovskyi commented 4 years ago

Without disabling any Chrome security:

Header set Access-Control-Allow-Headers "Content-Type, OSLC-Core-Version" (Apache) needs to be added so that JS code can send OSLC-Core-Version header (as per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers) as well as use non-common Content-Type such as RDF (see https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_request_header#Additional_restrictions as to why)
Header set Content-Security-Policy "frame-ancestors 'self' *;" + Header set Access-Control-Allow-Methods "GET, POST, OPTIONS" allows other websites to use an OSLC client to talk to their endpoint as well as to embed their delegated UIs in an IFRAME.
Header set Access-Control-Allow-Credentials "true" allows cookies to be forwarded by the browser on JS requests. However, this feature does not allow a '*' in Access-Control-Allow-Origin. The server MUST reply Access-Control-Allow-Origin: http://localhost:3001 if it wants to let the browser pass auth cookies along with an OSLC Client JS request from that page. This is the only thing that cannot be done via "server config" and shall be done in the response phase of the OSLC server.

Answer 1 · 2020-12-10T19:27:32.000Z

See oslc-op/oslc-specs#458 for the backstory

Answer 2 · 2020-12-10T20:03:45.000Z

@jadelkhoury here is an extra requirement for the Access-Control-Allow-Headers (not applicable to Delegated UIs, just for OSLC Clients running in the browser)

Answer 3 · 2020-12-10T20:35:57.000Z

Tracking oslc-op/website-content-negotiation#8