On Thu, Jun 20, 2019 at 10:04:03AM +0200, Martin Kletzander wrote:
On Wed, Jun 19, 2019 at 06:24:36PM +0100, Daniel P. Berrangé wrote:
On Wed, Jun 19, 2019 at 05:22:56PM +0200, Martin Kletzander wrote:
This is a response to all the discussions (mainly) other people had about all the JS code we're currently using, bundling, etc.
I would love some feedback on whether we can work on any of the solutions for getting rid of that external proxy. We would have to:
- either have our own proxy,
Ideally we'd not use any proxy imho
I agree with that.
- send a 'Access-Control-Allow-Origin' header from the libvirt.org server to allow fetching the atom.xml or
Can you elaborate on this ? This is something we'd need to set on the libvirt.org httpd config, to allow it to access atom.xml from the planet.virt-toos.org server ?
The reason why we cannot fetch it directly is because of Same-origin policy [1] CORB (Cross-Origin Read Blocking). In order to avoid XSS (Cross-site scripting) the page is only allowed to access Same-Origin URIs (there are exceptions, I'll get to that). If a resource from different origin needs to be fetched, then the server side needs to be set up for CORS (Cross-Origin Resource Sharing [2]). With that the server sends the Access-Control-Allow-Origin (and other Access-Control-Allow-*) headers that will restrict what resources can the page load and how. For our use case it would be enough to set these, I believe (as more restrictive is better):
Access-Control-Allow-Origin: "https://planet.virt-tools.org" Access-Control-Allow-Methods: "GET"
As discussed on irc, we actually needed the reverse. planet.virt-tools.org web server needs to server these headers, allowing libvirt.org. I have now got the planet.virt-tools.org apache configured todo this correctly I believe, so please give it a try & let me know if anything else needs changing on either httpd server. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|