-
-
Notifications
You must be signed in to change notification settings - Fork 886
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow cross-origin requests #3421
Conversation
e1cd832
to
0f51468
Compare
This PR would break the existing ability to set a specific hostname, which breaks my use-case of only allowing my site access (I do not federate). |
Would doing this in your web server work? (I can add the environment variable back. I just don't know enough Rust to do that, so it'll take me a while.) |
@ayan4m1 Do you know CORS only stops web browsers from accessing the API, and that nothing can be done to stop bots and apps from accessing it? Even if not federated, your users might want to use a third-party website which provides a better interface. @diamondburned Try the code in #3408, but defaulting the localhost string to *, and using this PR's code if *, or using the code currently in lemmy if anything else. |
This PR's intention isn't to add a new behavior into Edit: Nevermind, I see that that PR changes the default in the Docker env. I think it's best done in code, though. It's also worth noting that the behavior of
|
Hi there! Could this please be merged in? This PR not being merged has been causing me a lot of stress with wefwef and lemmy.world in production the last few days. |
@auouymous Yes, I'm aware, it doesn't matter, I don't want to allow other clients at this time. |
That'll work for blocking off web clients. You'll have a hard time blocking off regular app clients. |
There is one issue that needs to be addressed before this can be merged. LemmyNet/lemmy-ui#1713 added |
@auouymous Actually, that's not the case! See:
The Edit: to be clear, I'm confident about JS not leaking cookies. I think Edit 2: I can only test this maybe after the 3rd, but I don't think there's any issue with this, even with a potential Edit 3: More evidence that this change isn't susceptible to |
CI seems to be failing because of an earlier commit upstream. |
+1 for this, I've been working on a web client and I have to make all requests on the server as of now meaning authentication will be kinda difficult. |
@diamondburned Try rerunning |
The formatting issue came from a separate PR and I don't want to fix that PR in my PR. Doing that makes it a bit harder to work on the codebase in the future. I can make a separate PR to fix the issue separately, but I don't think it matters too much. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why did you remove the Cors::permissive debug mode?
The new change is effectively what The only reason why I didn't use it was because the documentation doesn't recommend it. |
Any updates on this? Lack of this header makes development of browser-based clients more difficult and expensive. |
I am facing major issues building a web client because of the strange CORS defaults, I'd like to see this merged soon. |
@dessalines If it helps with the reviewing process, I can add back permissive debug mode. |
CI seems to be failing with a "no space left on device" error:
I don't think this is caused by my PR though. |
You removed the debug mode check tho, why? Just externalize the permissive config, and have it use that if lemmy is in debug mode, or that env var is missing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Put the debug mode check back in, and move the permissive config into a var or function somewhere that can be called in either case.
What do you mean by this? What should I need a function for? Shouldn't it just go:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Either that or:
- let cors_allowed_any_config = ...
- if debug
- cors_allowed_any
- else
- if CORS variable
- use default with set origin
- else
- cors_allowed_any
- if CORS variable
Your PR still doesn't reflect that.
@dessalines What about someone who wants to use LEMMY_CORS_ORIGIN while debugging? |
@dessalines Added the |
c24adce
to
7032694
Compare
Co-authored-by: pfg <pfg@pfg.pw>
Finally! Thank you @diamondburned and other involved people :) |
PR LemmyNet/lemmy#3421 is merged!
* Support bypassing the proxy for some Lemmy instances Since LemmyNet/lemmy#3421 was merged, Lemmy instances on 0.18.1 and newer allow cross-origin requests. * Fix image uploading not being possible cross origin (yet) --------- Co-authored-by: Alexander Harding <2166114+aeharding@users.noreply.github.com>
This PR modifies CORS behaviors so that when invoking from a different origin, the server will respond with the appropriate CORS headers that allow that origin instead of not including any header at all.
Here's a
curl
demoing these headers:This PR fixes issue #3109.
This PR replaces/closes PR #3408 and #3301.