Roundup Tracker - Issues


Author rouilj
Recipients marcus.priesch, rouilj, schlatterbeck
Date 2022-05-12.22:14:40
Message-id <>
Two other notes:

I just added a Vary: Origin header to the rest responses since the existing OPTIONS
handlers can be wrapped to implement origin filtering and return different info based
on origin. 

CSRF Origin checks currently have to be turned off for CORS REST calls.
This check either needs to be:

  driven off a prefix table that can be set in config.ini or by
  If the origin sent by the client is matched by a prefix:
      ['', '', '']
  in the table then the origin check passes. Right now the prefix is the tracker url.

  is re-implemented as a method on the client object that can be wrapped/overridden in

I am leaning toward the prefix table from config.ini myself as I think it can be used to 
implement origin filtering for preflight requests in the core code.

An open question is what to return if an origin check fails in preflight or in cors.
* return some 400 value
* remove Access-Control-Allow-Origin header with no other change. This will fail a
  prefetch and prevent the data returned from being accessible to JavaScript IIUC.
Date User Action Args
2022-05-12 22:14:41rouiljsetmessageid: <>
2022-05-12 22:14:41rouiljsetrecipients: + rouilj, schlatterbeck, marcus.priesch
2022-05-12 22:14:41rouiljlinkissue2551203 messages
2022-05-12 22:14:40rouiljcreate