CORS for get endpoints

[benwiley4000]

Unless I'm missing something, it seems like there's no supported way to access the endpoints like /_stats and /_live outside of the analytics domain in a browser. It seems relatively harmless for these to be access-control-allow-origin: *. However that should be different configuration than cors for post requests, since while it makes sense to make the auditing info available wherever, I'd likewise want to be able to restrict analytics post requests to a single domain.

I'd be happy to make a PR if we can agree on what the API would look like. What do you think? I'm wondering if it makes sense to add a new flag called endpointsOrigin which is the same as origin but only for the non-/ GET endpoints?

[vesparny]

hey @benwiley4000 thanks for the input. I think what you said makes perfect sense. We definitely want to have those endpoints available from other domains.

Since the change is harmless, as you mentioned, I'd change the default CORS config for those specific endpoints rather than introducing a new configuration flag. What do you think?

[benwiley4000]

Sounds fine to me! Thanks!

Le lun. 1 avr. 2019 03 h 47, Alessandro Arnodo [email protected] a écrit :

hey @benwiley4000 https://github.com/benwiley4000 thanks for the input. I think what you said makes perfect sense. We definitely want to have those endpoints available from other domains.

Since the change is harmless, as you mentioned, I'd change the default CORS config for those specific endpoints rather than introducing a new configuration flag. What do you think?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/vesparny/fair-analytics/issues/21#issuecomment-478472236, or mute the thread https://github.com/notifications/unsubscribe-auth/AM7h7UnPHDzWrYMXRQIQOKZTXNg1iD1Lks5vcbl1gaJpZM4cUDMW .