Page 1 of 1

Access-Control-Allow-Origin to HTTP server please?

Posted: Wed Jul 08, 2020 11:35 pm
by sub23
Hi @Void
I've been using the HTTP server, serving my own pages and processing search results from the API.
All good so far, except now I cannot move my webapp because Everything HTTP server doesn't attach CORS headers.

Would it be possible to quickly add

Code: Select all

Access-Control-Allow-Origin: *
to the headers please?
And if you get time later on add configuration option to include your own hostname instead of *

Much appreciated

Re: Access-Control-Allow-Origin to HTTP server please?

Posted: Fri Jul 10, 2020 8:03 am
by void
Please try the latest nightly build

I've added the http_server_access_control_allow_origin ini option.

To set the Access-Control-Allow-Origin header value:
  • In Everything 1.4.1.985 or later, type in the following search and press ENTER:
    /http_server_access_control_allow_origin=*
    where * is the hostname.
  • If successful, you should see http_server_access_control_allow_origin=* in the status bar for a few seconds.

Re: Access-Control-Allow-Origin to HTTP server please?

Posted: Sun Jul 19, 2020 3:42 am
by sub23
Thank you, I will give this a test on my next available slot.

Re: Access-Control-Allow-Origin to HTTP server please?

Posted: Mon Jul 20, 2020 11:36 am
by sub23
Thank you, it's working for standard http requests. I tested using a nodejs dev server with XHR requests to Everything server. The origin settings work as expected in both allowing and denying cross origin requests.

However it seems for authenticated requests we need to also allow Credentials https://developer.mozilla.org/en-US/doc ... redentials

Code: Select all

Access-Control-Allow-Credentials: true
Requesting with basic auth to a password protected Everything results in Reason: CORS header 'Access-Control-Allow-Origin' missing as the browser isn't getting the Access-Control-Allow-Credentials: true header.

I'm also running a local CouchDB server and looking at it's headers, do we also need Access-Control-Allow-Methods and Access-Control-Allow-Headers?
This is what CouchDB sends, with an authenticated login.

Code: Select all

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE
Access-Control-Allow-Origin: http://192.168.1.43:5000

Re: Access-Control-Allow-Origin to HTTP server please?

Posted: Sat Aug 22, 2020 7:11 pm
by sub23
Also today I tried to request a file directly from the server (instead of requesting a search for results).
Now in the browser directly accessing the file is ok.
However if I'm on the Web App and request the resource form the Everything server then it fails because there is no CORS header.

So it seems it's only outputting header when directly searching for example a file list in JSON results.

Re: Access-Control-Allow-Origin to HTTP server please?

Posted: Tue Aug 25, 2020 7:09 am
by void
Thanks for testing http_server_access_control_allow_origin.

Could you please try Everything 1.4.1.991 or later.

This version removes http_server_access_control_allow_origin and adds http_server_header.
With this setting you can specify any number of custom headers values.

http_server_header is a semicolon (or comma) delimited list of header values.

Usage:
http_server_header=header-key1: header-value1;header-key2: header-value2;header-key3: header-value3

Use double quotes to escape commas and semicolons:
http_server_header="header-key1: header-value1a,header-value1b,header-value1c"

This header will be added to the existing header (all pages this time!)

For example, to set the following headers values:

Code: Select all

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE
Access-Control-Allow-Origin: http://192.168.1.43:5000
  • In Everything 1.4.1.991 or later, type in the following search and press ENTER:
    /http_server_header=Access-Control-Allow-Credentials: true;Access-Control-Allow-Headers: content-type;"Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE";Access-Control-Allow-Origin: http://192.168.1.43:5000
Please let me know which headers work for you.