Plugin for allowing CORS from specified hosts

[simonw]

It would be useful if Datasette could be configured to allow CORS requests from one or more origins, as opposed to only allowing either none or "*".

This is slightly tricky because the Access-Control-Allow-Origin: https://foo.example header is only allowed to return one value per request - and according to https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS "The Access-Control-Allow-Origin header should contain the value that was sent in the request's Origin header."

This means the application code needs to have a whitelist of allowed hosts and code that dynamically changes the outgoing Access-Control-Allow-Origin header based on the Origin header from the incoming request.

[simonw]

Since I want the option to store more than one host, I don't think this should be a command-line option or a --config setting. Instead, I'm inclined to add this to metadata.json.

Maybe this should be a plugin? That way the metadata.json setting could look like this:

{
    "title": "Title of this instance",
    "plugins": {
        "datasette-cors": {
            "allowed_origins": ["https://example.com"]
        }
    }
}

This could be implemented easily on top of ASGI #272.

(It should probably raise an exception on startup if any of the allowed_origins ends with a slash e.g. "https://example.com/" since that's not actually a valid origin, and it's an easy mistake to make.)

[simonw]

Also worth considering: Access-Control-Max-Age: 86400 support - maybe as a "max_age" setting for the plugin. This can reduce the number of preflight checks the browser needs to make.

[simonw]

I really like the idea of this as a plugin, because it will provide a great example of an ASGI plugin including how to build unit tests against Datasette plugins which actually start up a Datasette server and run some requests through it.

[simonw]

I built a new ASGI middleware component for CORS headers which I can use to implement this: https://pypi.org/project/asgi-cors/ and https://github.com/simonw/asgi-cors

[simonw]

I built and shipped this back in July: https://github.com/simonw/datasette-cors