seafile-docker
seafile-docker copied to clipboard
[suggestion] Allow CORS requests to the `api2` path by default
Edit: After manually fixing this and playing around a bit it seems like seahub itself is also gonna need to address some issues to fully support CORS (e.g. this issue)
About
Currently there are no CORS (Cross Origin Resource Sharing) headers set for the web API. This means that if you want to perform requests from other client web services you'll run into CORS blocks. That can be fixed by adding the right CORS headers in the nginx configuration templates.
The Fix
A possible fix would be to set the Access-Control-Allow-Origin
to *
. That would allow any web client to communicate with the API.
The requests could further be limited with Access-Control-Allow-Methods
or Access-Control-Allow-Headers
.
Counter Arguments
Opening up CORS of course always opens up the door a little wider for CSRF (Cross Site Resource Forgery). I'd say this is acceptable for this API though.
Alternatives
An alternative solution would be to make this configurable via an environment variable.
Additional Notes
The API of the official server at https://cloud.seafile.com/api2 actually uses Access-Control-Allow-Origin: *
, although this might purely for demonstration purposes.