Re: [libvirt] [PATCH 0/3] Ditch external JavaScript libraries

On Wed, Jun 19, 2019 at 06:24:36PM +0100, Daniel P. Berrangé wrote: > On Wed, Jun 19, 2019 at 05:22:56PM +0200, Martin Kletzander wrote: > > This is a response to all the discussions (mainly) other people had about all > > the JS code we're currently using, bundling, etc. > > > > I would love some feedback on whether we can work on any of the solutions for > > getting rid of that external proxy. We would have to: > > > > - either have our own proxy, > > Ideally we'd not use any proxy imho > I agree with that. > > - send a 'Access-Control-Allow-Origin' header from the libvirt.org server to > > allow fetching the atom.xml or > > Can you elaborate on this ? This is something we'd need to set on the > libvirt.org httpd config, to allow it to access atom.xml from the > planet.virt-toos.org server ? > The reason why we cannot fetch it directly is because of Same-origin policy [1] CORB (Cross-Origin Read Blocking). In order to avoid XSS (Cross-site scripting) the page is only allowed to access Same-Origin URIs (there are exceptions, I'll get to that). If a resource from different origin needs to be fetched, then the server side needs to be set up for CORS (Cross-Origin Resource Sharing [2]). With that the server sends the Access-Control-Allow-Origin (and other Access-Control-Allow-*) headers that will restrict what resources can the page load and how. For our use case it would be enough to set these, I believe (as more restrictive is better): Access-Control-Allow-Origin: "https://planet.virt-tools.org" Access-Control-Allow-Methods: "GET"