Datasette plugin for configuring CORS headers, based on asgi-cors.
You can use this plugin to allow JavaScript running on an allowlisted set of domains to make fetch()
calls to the JSON API provided by your Datasette instance.
datasette install datasette-cors
You need to add some plugin configuration for this plugin to take effect.
To allowlist specific domains, use this:
{
"plugins": {
"datasette-cors": {
"hosts": ["https://www.example.com"]
}
}
}
This affects the access-control-allow-origin
header.
You can also allowlist host patterns like this:
{
"plugins": {
"datasette-cors": {
"host_wildcards": ["https://*.example.com"]
}
}
}
To allow all origins, use:
{
"plugins": {
"datasette-cors": {
"allow_all": true
}
}
}
This sets the access-control-allow-origin
header to *
.
You can specify allowed headers - with the access-control-allow-headers
header - using the headers
option:
{
"plugins": {
"datasette-cors": {
"allow_all": true,
"headers": ["Authorization", "Content-Type"]
}
}
}
To allow specific HTTP methods with the access-control-allow-methods
header, use the methods
option:
{
"plugins": {
"datasette-cors": {
"allow_all": true,
"methods": ["GET", "POST", "OPTIONS"]
}
}
}
You can set the access-control-max-age
header using the max_age
option:
{
"plugins": {
"datasette-cors": {
"allow_all": true,
"max_age": 3600
}
}
}
To test this plugin out, run it locally by saving one of the above examples as metadata.json
and running this:
datasette -m metadata.json
With Datasette 1.0 use -c config.json
instead, or try this:
datasette -s plugins.datasette-cors.allow_all true
Now visit https://www.example.com/ in your browser, open the browser developer console and paste in the following:
fetch("http://127.0.0.1:8001/_memory.json?sql=select+sqlite_version%28%29").then(r => r.json()).then(console.log)
If the plugin is working correctly, you will see the JSON response output to the console.