You can do that easily in web2py... Below is a sample of a decorator that allows any origin. Change it to fit your needs.
You can use in a controller like: @cors_allow def action(): . . . return dict(...) ------------------ def cors_origin(): origin = request.env.http_origin headers = {} headers['Access-Control-Allow-Origin'] = origin headers['Access-Control-Allow-Methods'] = 'GET, OPTIONS, POST, HEAD, PUT' headers['Access-Control-Allow-Headers'] = 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,Accept' headers['Access-Control-Allow-Credentials'] = 'true'; response.headers.update(headers) if request.env.request_method == 'OPTIONS': headers['Content-Type'] = None raise HTTP(200, '', **headers) def cors_allow(action): def f(*args, **kwargs): cors_origin() return action(*args, **kwargs) f.__doc__ = action.__doc__ f.__name__ = action.__name__ f.__dict__.update(action.__dict__) return f 2016-10-26 20:19 GMT+02:00 Spokes <spokes8...@gmail.com>: > This isn't necessarily a web2py-specific question, but perhaps there's a > web2py-specific solution that's preferable to other solutions, so I thought > I'd ask it here. > > I have some HTML code and javascript, which I'd like to be able to paste > into any website, and which should access an API endpoint on a web2py > server. The web2py application is running on an nginx server. > > The javascript portion of the client code snippet is as follows: > > <script> > $(document).on("click", "button", function(e){ > ... > var xhr = new XMLHttpRequest(); > xhr.open("POST", "https://myurl.com/api/action/"); > > xhr.setRequestHeader("Content-Type", > "application/json"); > var jsonStr = JSON.stringify({ > Header:{Procedure:"..."}, > Body: { ... } > }); > xhr.send(jsonStr); > }); > </script> > > When the button that triggers the above action is clicked, the following > error is generated (in Chrome): > > XMLHttpRequest cannot load https://myurl.com/api/action. Response to > preflight request doesn't pass access control check: No > 'Access-Control-Allow-Origin' header is present on the requested resource. > Origin 'http://127.0.0.1:8000' is therefore not allowed access. > > As I understand it, this issue can be resolved by enabling CORS in the > nginx settings <http://enable-cors.org/server_nginx.html>. However, I'd > like to limit the modification to that one API function, which corresponds > to the application/controller/function combo, > "[MyApplication]/api/action". I'd appreciate recommendations on how to do > this within the context of web2py running on nginx. Alternatively, is there > a modification to the client javascript code (I'd like to keep the code > small, so any modification would have to not exceed a couple of lines) that > would remedy the problem? Thanks. > > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to web2py+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.