This repository has been archived by the owner on Nov 14, 2018. It is now read-only.
Access-Control-Allow-Origin header for /api/ should use Origin domain instead of * #367
Comments
|
Note, this link might be relevant: http://stackoverflow.com/questions/19743396/cors-cannot-use-wildcard-in-access-control-allow-origin-when-credentials-flag-i |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
When we make an API call using XMLHttpRequest to the JuliaBox API, we need to set
withCredentials=trueon the XHR object. This adds anOrigin: <domain>header, and also passes all Cookies through.The JuliaBox server (juliabox.org, for example) responds with an
Access-Control-Allow-Origin: *header. While this is fine for requests that do not require credentials, it violates CORS for requests that do require credentials. WhenwithCredentials=trueis set, we need the actual domain inAccess-Control-Allow-Origin.With
ipython, we used to setAccess-Control-Allow-Origin: origininipython_notebook_config.py. I'm not sure what the equivalent is for jupyter, but I'm sure you do, and can make the required changes for juliabox.Note that
withCredentials=trueis required because appropriate auth cookies need to be sent from the browser to juliabox in order to get data for the right user account.The text was updated successfully, but these errors were encountered: