Gateway should allow CORS

[dylanPowers]

Denying cross origin resource sharing (CORS) over IPFS doesn't make much sense. All requests should be allowed.
Adding "Access-Control-Allow-Origin: *" to the HTTP headers will enable that.

Use cases:

• I have an app that has a script that wants to access something over IPFS. The script however isn't served over IPFS.
• I'm using a fancy chrome extension, and my gateway went down in the middle of requests. It fell back to gateway.ipfs.io but the rest of the requests are now failing because of CORS.

[jbenet]

Yeah.

We'll eventually need to use suborigins: www.chromium.org/developers/design-documents/per-page-suborigins

[whyrusleeping]

@dylanPowers try out https://github.com/jbenet/go-ipfs/tree/fix/gateway-cors

let me know if that solves the issue for you

[jbenet]

mmm not sure what security implications are at play here.

@mappum your perspective?

[lidel]

My 3 cents: HTTP Gateway (8080 by default) is supposed to be read-only, it would not hurt to limit allowed HTTP methods via Access-Control-Allow-Methods header:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, HEAD, OPTIONS

(OPTIONS is used in Preflight request)

This would enable JavaScript from other domains to access immutable (/ipfs/) resources and keep us safe in case at some point gateway provides mutable ones (/ipns/ or some control interface) via PUT, POST, PATCH or DELETE.

Good thing is that WebUI runs on a separate port (5001 by default),
so we don't need to worry about it. 👍

[whyrusleeping]

@lidel that makes good sense.
I think this issue should probably get a slight priority bump.

[jbenet]

Agreed. @lidel do you know Go? (Need some help with gateway things)

—
Sent from Mailbox

On Sun, Mar 29, 2015 at 10:54 AM, Jeromy Johnson notifications@github.com
wrote:

@lidel that makes good sense.

I think this issue should probably get a slight priority bump.

Reply to this email directly or view it on GitHub:
#934 (comment)

[lidel]

Sadly no, I have not touched Go before. This is a good motivation to learn, but I'd have to do some serious reading before I feel comfortable making any contribution to go-ipfs.

[jbenet]

it's a great language! https://tour.golang.org

On Wed, Apr 1, 2015 at 12:34 PM, Marcin Rataj notifications@github.com
wrote:

Sadly no, I have not touched Go before. This is a good motivation to
learn, but I'd have to do some serious reading before I feel comfortable
making any contribution to go-ipfs.

—
Reply to this email directly or view it on GitHub
#934 (comment).

[d11e9]

👍

[jbenet]

#1529

[daviddias]

We have CORS working now :) Let me us know if you encounter any remaining issues