Issues using API - CORS Origins
-
Hi,
I seem to be running into issues when trying to use the API.
I have a project that will use Fider but keep having issues when trying to test or publish the code when using my Cloudron instance.
I keep getting "Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.".
I have tested this same code with a Fider setup that's not via Cloudron and its works fine.
It seems the config for the app is missing the ability or function to set this;
CORS_ALLOWED_ORIGINS: "https://a-website.com,http://localhost:8000" -
Hello @TheMoodBoardz
CORS can be set in the app setting.
Thank you for your suggestion regarding the Content Security Policy (CSP) setting in the application.
I've investigated that configuration, but it appears the issue stems from a different, though related, server policy: CORS. I believe there may be some confusion between the two, as they have distinct functions. Here’s a quick summary:
CORS (Cross-Origin Resource Sharing): This is the server giving permission to another website to make API calls to it. The server needs to send an Access-Control-Allow-Origin header to grant this permission, which is what the error messages indicate is missing.
CSP (Content Security Policy): This is the server telling the browser what resources its own pages are allowed to load. This protects the Fider application itself but doesn't grant API access to other sites.
Even with the CSP configured, the browser is still blocking the API calls because the required CORS headers are not being sent by the server.
-
Just reading on their Github - https://github.com/getfider/fider/issues/1251
Based on what I can find their default configuration has it set to allow all cross-origins... Which is odd in why I am encountering this issue.
-
Hello @TheMoodBoardz
Oh, yes! I did not read carefully and just thought of CSP.
You are absolutely right. -
@james Could the normal configuration within Cloudron Git been change from the normal defaults?
@TheMoodBoardz said in Issues using API - CORS Origins:
Cloudron Git
Are you writing about https://git.cloudron.io/?
Just an up-vote confirms, no need to write extra text, only if you'd like to. -
@TheMoodBoardz said in Issues using API - CORS Origins:
Cloudron Git
Are you writing about https://git.cloudron.io/?
Just an up-vote confirms, no need to write extra text, only if you'd like to.@james Yes, I have setup a fresh install outside of Cloudron and do not have this issue.
I have not had a chance to check however it sounds like something within the configuration that Cloudron uses is different than stock install when it comes to CORS setting?
-
@TheMoodBoardz the app is only setting CORS for very specific routes. See https://github.com/getfider/fider/blob/253556bfb632ab9a7c5d552f1e63c1fb1d7c41b1/app/cmd/routes.go#L42C14-L42C30 . Indeed, I can confirm in my test install that feed.atom and also the favicon have CORS set to '*' . I think the upstream app has to fix CORS (if it supports it) for the post routes.
