#22062: Bad requests do not add the Access-Control-Allow-Origin header -----------------------------+------------------------------ Reporter: cypherpunks | Owner: metrics-team Type: defect | Status: needs_review Priority: Medium | Milestone: Component: Metrics/Onionoo | Version: Severity: Normal | Resolution: Keywords: metrics-2018 | Actual Points: Parent ID: | Points: Reviewer: irl | Sponsor: -----------------------------+------------------------------ Changes (by karsten):
* status: new => needs_review * reviewer: => irl Comment: Okay, I spent way more time on this than I should have. Here's what I found out: We can indeed set the `Access-Control-Allow-Origin *` header at the top of `doGet`: {{{ diff --git a/src/main/java/org/torproject/metrics/onionoo/server/ResourceServlet.java b/src/main/java/org/torproject/metrics/onionoo/server/ResourceServlet.java index 0fee44b..b46c465 100644 --- a/src/main/java/org/torproject/metrics/onionoo/server/ResourceServlet.java +++ b/src/main/java/org/torproject/metrics/onionoo/server/ResourceServlet.java @@ -96,6 +96,8 @@ public class ResourceServlet extends HttpServlet { HttpServletResponseWrapper response, long receivedRequestMillis) throws IOException { + response.setHeader("Access-Control-Allow-Origin", "*"); + if (this.maintenanceMode) { response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE); return; @@ -408,7 +410,6 @@ public class ResourceServlet extends HttpServlet { ((CACHE_MAX_TIME - indexAgeMillis) / CACHE_INTERVAL) * CACHE_INTERVAL); - response.setHeader("Access-Control-Allow-Origin", "*"); response.setContentType("application/json"); response.setCharacterEncoding("utf-8"); response.setHeader("Cache-Control", "public, max-age=" }}} The effect is that all requests being handled by this servlet class will have that header, regardless of response code. This includes URLs starting with `/summary`, `/details`, `/bandwidth`, `/weights`, `/clients`, and `/uptime`. It does not, however, apply for other resources including typos of those URLs. The same does not work for cache headers. These are overwritten when we call `sendError()`, and I don't see an easy way to prevent that from happening. Maybe a filter or another handler or whatever Jetty has for such cases. Unfortunately, I don't know Jetty well enough to configure this, and I lack the time to find out. My suggestion would be that we move the `Access-Control-Allow-Origin *` header at the top of `doGet` as seen in the diff above and leave caching unchanged. How does this sound? -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22062#comment:5> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs