So, right now, electron/chromium etc have CORS enabled. Which means the SAFE browser does too.
It’s a method of limiting what domains scripts can fetch data from on the clearnet.
Recently @anon78698497 came upon some CORS issues fetching content via the native browser fetch
API.
To get around it, we’ve basically a branch which is permissive in terms of CORS. The pseudo-server we use for managing HTTP responses will return with Access-Control-Allow-Origin: *
. So any safe site can access the data.
This is in line with the fact that, currently, any safe site could access that same data via the safe.fetch
api anyway.
So it seems no harm done?
That’s really my question here. OR something I’d like to properly consider. Do we want/need CORS in a SAFE Browser?
As above. CORS is ostensibly about limiting data access to certain domains (afaik). But on SAFE anything public should be just that. So in that sense, CORS goes against our SAFE ideals.
Also, in terms of limiting data access, we have other data types. So theoretically if we want to limit data access to certain sites/apps, we’re free to do that.
Does anyone see any issue with the above? Anything I’m missing here?
If not, it’s a tiny wee fix to get merged into the browser.
If we do want something CORS like, well we should probably be looking to implement that functionality for safe.fetch
too…
Anyway, would be grand to hear some thoughts on that.
(@anon78698497, @happybeing, @bzee, @ravinderjangra, @Shane tagging yous as you may well have opinions here).