spreadsheet-viewer icon indicating copy to clipboard operation
spreadsheet-viewer copied to clipboard

Published 20 hours ago verified publisher icon handsontable

CORS proxy

Open warpech opened this issue 3 years ago • 0 comments

I discussed it with @krzysztofspilka yesterday that we should offer a free CORS proxy to help the developers get a quick start with Spreadsheet Viewer. The CORS proxy removes the need to set the headers in XLSX file server HTTP responses, at the cost of using a middleman (our service).

The easiest way for us to offer the CORS proxy is via CloudFlare.

Tasks include:

  • [ ] design a CORS API in SV that works automatically (if the workbook origin is different than the frame assets origin), but still make it possible to disable or change the proxy
  • [ ] explain the new API in the docs
  • [ ] write CORS proxy TOS (see below)
  • [ ] deploy the CORS proxy service

We need to write Terms of Service that includes:

  • the service is provided free of charge for end-users of SV
  • the service is optional and is not required for SV to function
  • the service purpose is to make changes to HTTP responses that allow loading files without being blocked by browser's cross-origin security protection (CORS)
  • the service works by adding Access-Control-Allow-Origin headers to the response
  • the service is only intended to work with certain document types (spreadsheets) and might not work with other kinds of resources (only certain mime types are allowed)
  • the service uses third party cloud infrastructure provider (Cloudflare) and is subject to their TOS
  • the service might add other headers and process the files in additional ways, including reading of the files and processing them for stats purposes
  • we reserve the right to make API changes that will break compatibility with older versions of SV, or to disable the service with prior notice
  • the service might reject the request if the target server takes too long to respond or if the response size is too large
  • we reserve the right to limit the request rate (number of allowed requests in a time period)
  • the service makes requests for third party servers on behalf of the user. We shall not take responsibility for unauthorized access to resources located at third-party servers nor for the amount of traffic generated by user requests and the consequences of it (hosting cost, DDOS attacks)

Maybe we could take a look at DNS, CDN, SSH tunnel services TOS for inspiration what else to include.

warpech avatar Oct 05 '21 08:10 warpech