Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS - Add CDR specific headers to access-control-expose-headers in response header #338

Closed
deepsol-oba opened this issue Oct 7, 2020 · 3 comments
Closed

CORS - Add CDR specific headers to access-control-expose-headers in response header #338

deepsol-oba opened this issue Oct 7, 2020 · 3 comments
Labels
Security Change or question related to the information security profile

Comments

@deepsol-oba
Copy link

Description

The standard mandates the support of CORS.
When using CORS - in order to be able to query x-v -, the x-v header field should be exposed through access-control-expose-headers

This change will allow CORS consumers of the API to query the x-v of the payload to support

  • version specific logic
  • query the max supported version of the endpoint

Area Affected

  • Get Status
  • Get Outages
  • Get Products
  • Get Product Detail

Change Proposed

https://consumerdatastandardsaustralia.github.io/standards/#cors

Add requirement to standard to add access-control-expose-headers to expose x-v to the response header of the CORS enabled endpoints.
@perlboy
Copy link

perlboy commented Oct 7, 2020

Adding historical references: #195 https://github.com/ConsumerDataStandardsAustralia/banking-products-comparator/issues/51#issuecomment-697133827

@CDR-API-Stream
Copy link
Collaborator

Hi @deepsol-oba, the standards currently state the following...

Cross-origin resource sharing (CORS) must be enabled (ie. Access-Control-Allow-Origin set to "*") for the following end points:
...

This is clearly not intended to be a full redefinition of CORS which is a well defined standard for web based systems with a great deal of detail. The clarifying statement that the Access-Control-Allow-Origin should be set to * was to provide clarity that there a white list of known recipients was specifically not desired and that all domains should be accepted. It is not a statement to imply that simply implementing this header is sufficient.

As you note, the x-v header is a custom header and the CORS standard requires that servers will support Access-Control-Allow-Headers and pre-flight requests.

The DSB do not wish to restate an external standard in the CDR standards and have attempted to clarify this obligation in the following convention.

We could consider modifying the language to explicitly refer to CORS as a normative standard but this would be considered a change in description only and not a material change to the standards.

@CDR-API-Stream CDR-API-Stream added answer provided Security Change or question related to the information security profile and removed In Backlog labels Mar 17, 2021
@CDR-API-Stream
Copy link
Collaborator

The outcome of this issue has been decided by the Data Standards Chair that no change to standards will be made.

This issue will be closed accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security Change or question related to the information security profile
Projects
Data Standards Maintenance
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@perlboy @CDR-API-Stream @deepsol-oba