Gateway should allow CORS

[dylanPowers]

Denying cross origin resource sharing (CORS) over IPFS doesn't make much sense. All requests should be allowed.
Adding "Access-Control-Allow-Origin: *" to the HTTP headers will enable that.

Use cases:

• I have an app that has a script that wants to access something over IPFS. The script however isn't served over IPFS.
• I'm using a fancy chrome extension, and my gateway went down in the middle of requests. It fell back to gateway.ipfs.io but the rest of the requests are now failing because of CORS.

[jbenet]

Yeah.

We'll eventually need to use suborigins: www.chromium.org/developers/design-documents/per-page-suborigins

[whyrusleeping]

@dylanPowers try out https://github.com/jbenet/go-ipfs/tree/fix/gateway-cors

let me know if that solves the issue for you

[jbenet]

mmm not sure what security implications are at play here.

@mappum your perspective?

[lidel]

My 3 cents: HTTP Gateway (8080 by default) is supposed to be read-only, it would not hurt to limit allowed HTTP methods via Access-Control-Allow-Methods header:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, HEAD, OPTIONS

(OPTIONS is used in Preflight request)

This would enable JavaScript from other domains to access immutable (/ipfs/) resources and keep us safe in case at some point gateway provides mutable ones (/ipns/ or some control interface) via PUT, POST, PATCH or DELETE.

Good thing is that WebUI runs on a separate port (5001 by default),
so we don't need to worry about it. 👍

[whyrusleeping]

@lidel that makes good sense.
I think this issue should probably get a slight priority bump.

[jbenet]

Agreed. @lidel do you know Go? (Need some help with gateway things)

—
Sent from Mailbox

On Sun, Mar 29, 2015 at 10:54 AM, Jeromy Johnson [email protected]
wrote:

@lidel that makes good sense.

I think this issue should probably get a slight priority bump.

Reply to this email directly or view it on GitHub:
#934 (comment)

[lidel]

Sadly no, I have not touched Go before. This is a good motivation to learn, but I'd have to do some serious reading before I feel comfortable making any contribution to go-ipfs.

[jbenet]

it's a great language! https://tour.golang.org

On Wed, Apr 1, 2015 at 12:34 PM, Marcin Rataj [email protected]
wrote:

Sadly no, I have not touched Go before. This is a good motivation to
learn, but I'd have to do some serious reading before I feel comfortable
making any contribution to go-ipfs.

—
Reply to this email directly or view it on GitHub
#934 (comment).

[d11e9]

👍

[jbenet]

#1529

[daviddias]

We have CORS working now :) Let me us know if you encounter any remaining issues

[lidel]

In certain situations browsers execute OPTIONS request to read CORS headers
(Example and more details in ipfs/ipfs-companion#45 (comment))

HTTP OPTIONS method does not seem to be supported even when explicitly enabled:

ipfs config --json Gateway.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "GET", "POST", "OPTIONS"]'
ipfs config --json Gateway.HTTPHeaders.Access-Control-Allow-Origin '["*"]'
ipfs config --json Gateway.HTTPHeaders.Access-Control-Allow-Headers '["X-Requested-With"]'
ipfs config --json Gateway.Writable true

Produces:

> curl -X OPTIONS http://127.0.0.1:8080/ipfs/QmRqoVq1G9pL7hyLB2EGi5mndRTQv7tKfFXPRUsSbpHqfK
Method OPTIONS not allowed: bad request for /ipfs/QmRqoVq1G9pL7hyLB2EGi5mndRTQv7tKfFXPRUsSbpHqfK

Am I missing some configuration or do we need to reopen this ticket?

[Kubuxu]

More precisely, in certain situation browser does not execute OPTIONS. See simple vs preflighted requests.

[Kubuxu]

Also read-only API is missing CORS, it makes impossible to use read only API from browser/XHR.

Is there reason why they are filtered out from read-only API?

https://github.com/ipfs/go-ipfs/blob/5d9ee59908099df3f7e85679f7384c98d4ac8111/commands/http/handler.go#L71-L82

[jbenet]

@Kubuxu i do not recall. this may be an error now, as other parts have shifted. what would be nice is a short doc describing how we should handle all the CORS things, and then make sure the implementation does that.

[jbenet]

@Kubuxu all this will get smaller once the gateway is split out into its own repo.