CORS added for cross-site requests and readme updated #398
Conversation
There was a problem hiding this comment.
I tend to agree that while we are at it, we should allow to set a custom origin. Not sure if it is better to make --cors a string parameter or add an additional --cors-origin parameter. The latter has the slight advantage that the default case '*' is shorter to type (in particular as I see a lot of people failing to hand in an asterisk as paramter.
|
I suspect that the difference if the old version works or not is if the caller does an OPTION request first. |
|
As a tendency I would prefer -cors-all without an argument and -cors (or -cors-origin) with one. Added in 268e13a actually used -cors-any and -cors-origin as this makes things clearer IMHO. |
I assume so too, I just couldn't recreate with any of the (very mainstream and current) browsers I use. |
|
This looks good. (Although I would not expose photon to the public and instead use nginx or similar tools to proxy it for unrelated security reasons) |
|
add https (ssl) support to avoid Blocked loading mixed active content in browser because geolocation support removed for http protocol |
This is based on #373 and preserves rahulhaque commits but simplifies things a tiny bit and rebases it on the current master.
Currently the -cors flag is all or nothing, but I would expect that people running photon that want more fine grained control would put it behind a reverse proxy in any case.
It doesn't resolve the mystery of why the previous code that added a Access-Control-Allow-Origin header seems to have worked for some (for example myself) and not for others.