setting cors via environment variable does not work in windows

[SCBuergel]

You suggest setting the cors domain via an environment variable in https://github.com/ipfs/js-ipfs-api#cors. The windows version of this does not work since 'ipfs daemon' seems to not correctly read this variable. Since it is possible to do the same via config settings I'd suggest to use this method in all OSes, call the following before starting the daemon:

ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin "[\"*\"]"

Unless there are no major limitations this would make the behavior more reliable across systems.

[dignifiedquire]

The nice thing about environment variables is that they are only used once, and if you set the config it will be there until you change it. But we should expand that section highlighting both these options and explaining the pros and cons.

[jbenet]

setting * is dangerous, remember that. anybody could cause you to pin all sorts of bad stuff.

i dont think the warning is strong enough :/

[travisperson]

I'm going to +1 this, though maybe change the wording. The other issue with the environment variable is it's deprecated.

https://github.com/ipfs/go-ipfs/blame/abae99214da67aa5822b7c269c1079b98b1a1722/CHANGELOG.md#L38

[dignifiedquire]

Maybe instead of suggesting * we suggest to use the actual host that it's being used from?

[travisperson]

I think the generic http://example.com would do just fine.

[jbenet]

yeah example.com could work, or maybe: https://trustedhost.com or http://127.0.0.1

[harlantwood]

example.com is most clear IMO.

[fazo96]

setting * is dangerous, remember that. anybody could cause you to pin all sorts of bad stuff.

i dont think the warning is strong enough :/

Well, the API listens to 127.0.0.1 only by default, so I don't see how this is a problem unless the API listens to an address reachable by other machines

[travisperson]

If a user sets the Access-Control-Allow-Origin to *, then any page they request through the gateway on their local machine can make requests to the API.

[fazo96]

@travisperson oh, of course, sorry! I really couldn't think about that for some reason.