Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-4473

REST API should set "Access-Control-Allow-Origin" (CORS) Header based on whitelist

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 7.0
    • Fix Version/s: 7.0
    • Component/s: REST API v7
    • Labels:
      None
    • Attachments:
      0
    • Comments:
      3
    • Documentation Status:
      Needed

      Description

      Related to discussion in DS-4396

      During implementation of Shibboleth (DS-4396), we've found that we can no longer use a wildcard setting for the CORS Header "Access-Control-Allow-Origin". So, we cannot set Access-Control-Allow-Origin: *, as we used to do.

      Therefore, we must implement a (configurable) whitelist of client-side URLs which the REST API will accept requests from.

      This whitelist should default to the value of dspace.ui.url setting in dspace.cfg/local.cfg. However, it should allow for additional URLs to be added.

      [Temporary Workaround] Until this is resolved, if the REST API and Angular UI are run on separate servers, the "Access-Control-Allow-Origin" header can be set in an Apache Configuration as described here: https://wiki.lyrasis.org/display/DSPACE/DSpace+7+Shibboleth+Configuration#DSpace7ShibbolethConfiguration-SeparateRESTandAngularhostname

        Attachments

          Activity

            People

            Assignee:
            tdonohue Tim Donohue
            Reporter:
            tdonohue Tim Donohue
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support