docker-baserow icon indicating copy to clipboard operation
docker-baserow copied to clipboard
verified publisher icon tiredofit

Access-Control-Allow-Origin

Open robflate opened this issue 5 years ago • 4 comments

Thanks for the container. Your example docker compose works fine but when I try and change it to use a custom traefik middleware I get the following errors;

[Error] Origin https://baserow.example.com is not allowed by Access-Control-Allow-Origin.
[Error] XMLHttpRequest cannot load https://api.example.com/api/user/token-auth/ due to access control checks.
[Error] Failed to load resource: Origin https://baserow.example.com is not allowed by Access-Control-Allow-Origin. (token-auth, line 0)

I assume this is because my middleware sets some accessControlAllowMethods and because the API is on a subdomain, it refuses the connection. My middleware contains;

    middlewares-secure-headers:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        sslRedirect: true
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: "allow-from https://example.com"
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: "same-origin"
        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
          server: ""

Long question short, do you have any experience with what settings to use to allow the connection without completely removing the accessControlAllowMethods for the security it adds. Thanks.

robflate avatar Nov 20 '20 15:11 robflate

This is interesting to me. I'm not sure if the image itself is doing this (perhaps the Nginx "reverse" proxy that inside it) or if its Baserow itself. I'm going to need to test this on my end to see if I can recreate. I haven't used Baserow in any capacity other than testing right now as soon as I saw a posting of 0.40 available so don't have much production experience yet. Let me see what I can dig up.

tiredofit avatar Nov 20 '20 17:11 tiredofit

Is there any way to set the API_HOSTNAME to a subpath of APPLICATION_HOSTNAME so they are the same origin and therefore avoid any CORS issues?

APPLICATION_HOSTNAME=baserow.example.com
API_HOSTNAME=baserow.example.com/api

This currently doesn't work because the webui makes API requests by appending /api already so using the above example the /api part of the URL is repeated like so, baserow.example.com/api/api/blah.

I also just noticed the new v0.6 release of Baserow has a file field which requires another domain and extra folders. https://baserow.io/blog/november-release-of-baserow

robflate avatar Dec 05 '20 23:12 robflate

OK I updated the image to version 0.6.0 a couple days ago - but didn't realize there is another domain required for file/assets storage. This will take a bit to understand.

As for avoiding CORS - yes we most certainly could modify the "frontend.conf" part of the nginx configuration. I'm wondering if we could..

APPLICATION_HOSTNAME=baserow.example.com API_HOSTNAME=/

Followed by a configuration directive inside of nginx to trap anything /api and send it to the backend server. It may or may not work as you identified if something is already hardcoded. I'll reach out to the developer in a few days when back in the office and see if I can grab any hints - They were very supportive of my initial buildout of the image.

tiredofit avatar Dec 06 '20 00:12 tiredofit

Any news on having the API on the same hostname with different path?

fightforlife avatar Mar 20 '21 09:03 fightforlife