Jump to content

Welcome to Nullking!

Welcome to Nullking, sign in or register to get the best experience on our website.

Our awesome community offers support for webmasters and anything web related.
We also offer our members tons of resources, free of charge!

Sign in to follow this  
KiNG

INVISION COMMUNITY REST API CORS Fixaroo

Recommended Posts

REST API CORS Fixaroo


This plugin aims to tackle a very specific issue which occurs when you try to use OAuth2 and JavaScript together in a browser application.

Until now, this was not really feasible as the use of the Authorization header in the request will cause the browser to send a CORS pre-flight request to the endpoint. This request is an OPTIONS request and since it is not GET, PUT, POST or DELETE; IPS defaults to handling it as a GET request. As a result, the pre-flight request fails and causes the user to rely on a proxy of some sort to send the request with PHP or another server-side language.

This plugin extends the API dispatcher class and handles processing and generating a valid CORS pre-flight request response with the following headers:

Access-Control-Allow-Methods
Generated automatically from the methods of the endpoint being called. If the endpoint supports GET and POST, the allowed methods header will contain GET, POST but not PUT or DELETE.

Access-Control-Allow-Headers
Generated automatically from the request "Access-Control-Request-Headers" header to allow any headers being passed in the request. This is not the most secure method but it is version 1.0.0, maybe I will implement a setting for specific headers in a future version.

Access-Control-Allow-Origin
Generated from the plugin settings (see attached screenshot). It evaluates the "Origin" (or "Referer") header and if the request comes from one of the whitelisted domains in the plugin settings, it will set the value of the "Access-Control-Allow-Origin" header to be the domain of the request. Otherwise, the header will not be set and the CORS request will fail.
NOTE: Setting "*" as one of the allowed domains will allow CORS requests from any domain. This creates a possible XSS vulnerability and I would not recommend setting that option.


 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...