Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugin for allowing CORS from specified hosts #454

Closed
simonw opened this issue May 5, 2019 · 5 comments
Closed

Plugin for allowing CORS from specified hosts #454

simonw opened this issue May 5, 2019 · 5 comments
Assignees
@simonw
Labels
feature small

Comments

@simonw
Copy link
Owner

simonw commented May 5, 2019

It would be useful if Datasette could be configured to allow CORS requests from one or more origins, as opposed to only allowing either none or "*".

This is slightly tricky because the Access-Control-Allow-Origin: https://foo.example header is only allowed to return one value per request - and according to https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS "The Access-Control-Allow-Origin header should contain the value that was sent in the request's Origin header."

This means the application code needs to have a whitelist of allowed hosts and code that dynamically changes the outgoing Access-Control-Allow-Origin header based on the Origin header from the incoming request.
@simonw
Copy link
Owner Author

simonw commented May 5, 2019
edited
Loading

Since I want the option to store more than one host, I don't think this should be a command-line option or a --config setting. Instead, I'm inclined to add this to metadata.json.

Maybe this should be a plugin? That way the metadata.json setting could look like this:

{
    "title": "Title of this instance",
    "plugins": {
        "datasette-cors": {
            "allowed_origins": ["https://example.com"]
        }
    }
}

This could be implemented easily on top of ASGI #272.

(It should probably raise an exception on startup if any of the allowed_origins ends with a slash e.g. "https://example.com/" since that's not actually a valid origin, and it's an easy mistake to make.)

@simonw
Copy link
Owner Author

simonw commented May 5, 2019

Also worth considering: Access-Control-Max-Age: 86400 support - maybe as a "max_age" setting for the plugin. This can reduce the number of preflight checks the browser needs to make.

@simonw simonw changed the title Mechanism for allowing CORS from specified hosts Plugin for allowing CORS from specified hosts May 5, 2019
@simonw
Copy link
Owner Author

simonw commented May 5, 2019

I really like the idea of this as a plugin, because it will provide a great example of an ASGI plugin including how to build unit tests against Datasette plugins which actually start up a Datasette server and run some requests through it.

@simonw
Copy link
Owner Author

simonw commented May 9, 2019
edited
Loading

I built a new ASGI middleware component for CORS headers which I can use to implement this: https://pypi.org/project/asgi-cors/ and https://github.com/simonw/asgi-cors

@simonw simonw mentioned this issue Jun 23, 2019
Closed
@simonw simonw self-assigned this Jun 24, 2019
@simonw
Copy link
Owner Author

simonw commented Oct 3, 2019

I built and shipped this back in July: https://github.com/simonw/datasette-cors

@simonw simonw closed this as completed Oct 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simonw simonw

Labels
feature small
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@simonw