openfoodfacts-server
openfoodfacts-server copied to clipboard
openfoodfacts
Fix CORS nginx setup to send the right Access-Control-Allow-Origin headers
The current nginx config does not work: we do not send Access-Control-Allow-Origin headers for a lot of queries. There are some add_headers for them in some if directives, but then as we include another file with other if directives to set expire headers, the previous add_headers directives are ignored.
Help wanted to:
- Decide on which requests we need CORS headers (and which ones, e.g. wide open?)
- Implement it on nginx
- Test it
Possible solution: include a file like this in all our if location directives:
etc/nginx/cors_support.conf
#
# Wide-open CORS config for nginx
#
# from https://enable-cors.org/server_nginx.html - retrieved 2020-08-26
#
# use: add "include cors_support.conf;" in each location block
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
Using "if" seems to be dangerous, see my comment here: https://github.com/openfoodfacts/openfoodfacts-server/issues/1538#issuecomment-612984111
This issue has been open 90 days with no activity. Can you give it a little love by linking it to a parent issue, adding relevant labels and projets, creating a mockup if applicable, adding code pointers from https://github.com/openfoodfacts/openfoodfacts-server/blob/main/.github/labeler.yml, giving it a priority, editing the original issue to have a more comprehensive description… Thank you very much for your contribution to 🍊 Open Food Facts
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
