Allow all /api/v2/ CORS if the Domain is known #4880
Conversation
| # Don't do domain checking for APIv2 when the Domain is known | ||
| if request.path_info.startswith('/api/v2/'): | ||
| domain = Domain.objects.filter(domain__icontains=host) | ||
| if domain.exists(): |
There was a problem hiding this comment.
Do we want to allow to access the API no matter which domain the request comes from?
Codecov Report
@@ Coverage Diff @@
## master #4880 +/- ##
==========================================
- Coverage 76.64% 76.63% -0.02%
==========================================
Files 158 158
Lines 10054 10062 +8
Branches 1271 1271
==========================================
+ Hits 7706 7711 +5
- Misses 2007 2011 +4
+ Partials 341 340 -1
|
| # Don't do domain checking for APIv2 when the Domain is known | ||
| if request.path_info.startswith('/api/v2/'): | ||
| domain = Domain.objects.filter(domain__icontains=host) | ||
| if domain.exists(): |
There was a problem hiding this comment.
I'm -0 on allowing all API calls to all projects from all Domain's. We should still be mapping the domain -> project, so I think we can just add /api/v2/ to WHITELIST_URLS?
There was a problem hiding this comment.
How do you connect the Domain -> Project for this case? When calling /api/v2 we don't pass the project= query string.
There was a problem hiding this comment.
One thing we can do here is just allow safe methods for /api/v2 endpoints: GET and HEAD.
There was a problem hiding this comment.
Works for me. We should include more thinking and research around CORS when we do https://github.com/rtfd/readthedocs-ops/pull/441 and document our approach.
Currently, if any documentation project tries to use our APIv2 from a custom domain by doing an AJAX request, it will be blocked because of CORS.
This PR adds a new checking for this by allowing CORS on all the URLs that start with
/api/v2/and the HTTP_ORIGIN header is a known Domain in our platform.Raised at humitos/sphinx-version-warning#23