Skip to content
This repository was archived by the owner on Mar 10, 2020. It is now read-only.

setting cors via environment variable does not work in windows #156

Closed
SCBuergel opened this issue Dec 3, 2015 · 10 comments
Closed

setting cors via environment variable does not work in windows #156

SCBuergel opened this issue Dec 3, 2015 · 10 comments
Labels
help wanted

Comments

@SCBuergel
Copy link

You suggest setting the cors domain via an environment variable in https://github.com/ipfs/js-ipfs-api#cors. The windows version of this does not work since 'ipfs daemon' seems to not correctly read this variable. Since it is possible to do the same via config settings I'd suggest to use this method in all OSes, call the following before starting the daemon:

ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin "[\"*\"]"

Unless there are no major limitations this would make the behavior more reliable across systems.
@dignifiedquire
Copy link
Contributor

The nice thing about environment variables is that they are only used once, and if you set the config it will be there until you change it. But we should expand that section highlighting both these options and explaining the pros and cons.

@jbenet
Copy link
Contributor

jbenet commented Dec 3, 2015

setting * is dangerous, remember that. anybody could cause you to pin all sorts of bad stuff.

i dont think the warning is strong enough :/

@travisperson
Copy link
Contributor

I'm going to +1 this, though maybe change the wording. The other issue with the environment variable is it's deprecated.

https://github.com/ipfs/go-ipfs/blame/abae99214da67aa5822b7c269c1079b98b1a1722/CHANGELOG.md#L38

@dignifiedquire
Copy link
Contributor

Maybe instead of suggesting * we suggest to use the actual host that it's being used from?

@travisperson travisperson mentioned this issue Dec 4, 2015
Closed
@travisperson
Copy link
Contributor

I think the generic http://example.com would do just fine.

@jbenet
Copy link
Contributor

jbenet commented Dec 4, 2015

yeah example.com could work, or maybe: https://trustedhost.com or http://127.0.0.1

@harlantwood
Copy link
Contributor

example.com is most clear IMO.

@fazo96
Copy link

fazo96 commented Dec 11, 2015

setting * is dangerous, remember that. anybody could cause you to pin all sorts of bad stuff.

i dont think the warning is strong enough :/

Well, the API listens to 127.0.0.1 only by default, so I don't see how this is a problem unless the API listens to an address reachable by other machines

@travisperson
Copy link
Contributor

If a user sets the Access-Control-Allow-Origin to *, then any page they request through the gateway on their local machine can make requests to the API.

@fazo96
Copy link

fazo96 commented Dec 11, 2015

@travisperson oh, of course, sorry! I really couldn't think about that for some reason.

@snyk-bot snyk-bot mentioned this issue Dec 18, 2021
Open
@snyk-bot snyk-bot mentioned this issue Jan 21, 2022
Open
@snyk-bot snyk-bot mentioned this issue Mar 21, 2022
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@harlantwood @jbenet @travisperson @dignifiedquire @fazo96 @SCBuergel