Allows CORS on PSA Document?

[DougAnderson444]

@pfrazee I am trying to use beakerbrowser/dat-pinning-service-client to access hashbase.io/.well-known/psa from a non-beaker origin domain, but I am getting the error:

blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

I see #43 allowed CORS, but what about the PSA Document?

Has this issue already been addressed elsewhere or do we need a fix?

[DougAnderson444]

Opened PR #119

[pfrazee]

Hmm... is there any possible reason we wouldn't want to allow this?

[DougAnderson444]

Paul, Is that a trick question?
...I guess if you want to restrict programmatic pinning to hashbase to only beakerbrowser?

[pfrazee]

Eaaaasy man, I'm not trying to be a jerk. I couldn't remember off the top of my head whether CORS would send credentials from another origin or if there was any other security concern. You just dumped a PR on me and I think it's fair for me to ask.

AFAICT the answer is no. Existing credentials (cookies) are never sent if we set allow to *. That said, I'm not sure if you can get your own origin's cookies sent, which will be needed if you want to go through the pinning API's login session. Can you confirm that for me before we merge this?

[DougAnderson444]

Ah, ok no worries I thought you might have wanted me to think deeper before asking for what I thought was needed. I'll look into the cookies and try to test it out first, it's just not my area of expertise.

If we need to pass cookies, from what I understand we may need to add:

res.header("Access-Control-Allow-Credentials", "true") // only if you want use client cookies

[pfrazee]

🍻 Appreciate it! If we have to set allow-credentials, we should make sure that doesn't allow credentials to get attached across origins.

[pfrazee]

If it turns out we can't get cookies to be sent without breaking session-isolation of SOP, we should look into sending the Authorization header instead of using cookies.

[DougAnderson444]

See, I'm glad I asked then. I only got so far as trying to get the PSA Document, for which no credentials are required. I'm sure I would have hit this wall once the PSA doc was fetched and tried to log in. I'll continue to pick away at it.

[pfrazee]

For sure. I'm sorry my original response was short; tail end of the day.

[RangerMauve]

Anything I can do to help push this forward? 😁

[DougAnderson444]

Oh yeah @RangerMauve ! Do you have a pinning server up?

I've been trying to bring one up to test this, but I've been running into challenges so far.

[RangerMauve]

A pinning server with the proper CORS headers? I can set one up for you tomorrow. 😁

I'll just expose my dat-store instance on Digital Ocean and see if that works.

[DougAnderson444]

Oh, I thought if we were going to edit the hashbase code, we would need an instance of hashbase up and running?

Although, in looking at dat-store, that seems pretty straightforward. Is it really as easy as dat-share url?

[RangerMauve]

Oh, k. I'll see what I can do there. Hashbase requires a bunch more config, so that might take more time, but I think I can figure it out. 😁

dat-store should behave the same as an unauthenticated hashbase.

[RangerMauve]

Bleh. While getting the CORS stuff into dat store I got some sort of error with folder sync. 😭 Hopefully I'll have something this evening.

[RangerMauve]

of course it's a Windows problem. 😭

[RangerMauve]

K, lost most of my day to fixing some weird bugs in dat-store. I'll need to figure out setting up a CORS enabled store tomorrow instead. 😅