dvid icon indicating copy to clipboard operation
dvid copied to clipboard

Published 20 hours ago verified publisher icon janelia-flyem

Maximally permissive CORS by default

Open stuarteberg opened this issue 2 years ago • 1 comments

Is there any reason at all not to enable CORS by default, always?

I know we can configure permissive CORS access in the TOML file:

corsDomains = ["*"]

...but sometimes we forget to do that. I am too afraid to even try to estimate how many developer hours of debug time we've lost due to CORS issues over the years. As far as I can tell, there is nothing in DVID presents a security concern that would be helped by restrictive CORS headers. Make it permissive by default, but allow us to lock it down in the TOML if we really want to.

stuarteberg avatar Mar 15 '22 13:03 stuarteberg

Yes, if CORS is enabled by default any DVID fronted by nginx, which is a fairly common, would break because nginx would also be handling CORS and we'll get issues. We could add a flag to "dvid serve" that allows shutting off any cors handling, and make sure all current nginx front DVID servers that get code updates start using that -noCORS flag.

DocSavage avatar May 08 '22 03:05 DocSavage