Enable CORS for all origins and requests on API #324
Conversation
|
Yeah, we should probably whitelist certain origins, just to be safe. Also, a dumb question, how does a AJAX request from an HTTP origin to an HTTPS API work? Is the request HTTPS or HTTP? |
|
I asked about the ajax request from http to https, and apparently the request is https, which is pretty rad. There's one gotcha though, that it's vulnerable to man-in-the-middle attacks: http://stackoverflow.com/a/7594254/4086967 |
|
I've whitelisted I can confirm that setting the For testing, I've used the setup described in this gist. |
|
When running this locally, I'm not able to make this work. I have the local ssl proxy running, and after running I also tried in Firefox and it also doesn't work. Maybe there's something I'm not doing? |
|
Have you accepted the self-signed certificate at On Chrome this is done by visiting Once this is accepted then Ajax requests through the proxy from HTTP should work. |
|
cool, yes, that worked. could you make a note of having to accept the certificate before it will work in http in the gist? it seems obvious in hindsight but just so it's totally clear... |
|
I mentioned it in step 5 but I've now changed it to be clearer with more bold. |
Enables the web client being served at
http://example.comto make requests to the server API athttps://example.com/apiusing CORS.This means that when #323 is merged in, the client can be told to always access the API over HTTPS. It also makes #319 easier to test since
local-ssl-proxycan be used to proxy the app over SSL on a different port and theAPI_URLenvironment variable can point to the SSL API.With the default current configuration, any webpage will be able to access the API. However, we could configure the middleware to only allow whitelisted origins to access it. We'd need to add another env variable to whitelist them.