I think is useful to be able to operate with data from Nextcloud from other websites cms such as moodle, drupal, wp's while using different domains. The app webappassword lets use the DAV resources, it uses the sabre pluggable system to modify the response checking against a list of allowed domains. But I cannot find a way to use share api from different domain as files_sharing app is not providing neither the necessary preflight OPTIONS route, nor the @CORS annotation in the relevant controller methods. Also using it will allow every domain to gain access, so I think it may open security breach in sites.

workaround for parts of

It's discussed also in digital-blueprint/webapppassword#1 , but I cannot find a way to listen for kernel-response events like https://symfony.com/doc/current/reference/events.html#kernel-response (as using symfony events is discouraged). So the workaround I end up using to be able to make requests from other domain is extending the shareapi controller to modify the response( https://gitlab.com/communia/files_sharing_webapppassword information about it is in app issue tracker: ). Of course, feedback about the ugliness of this workaround is welcome.

proposal

Maybe nextcloud could provide it natively, modifying the existing behavior in https://github.com/nextcloud/server/blob/master/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php#L116 to use a similar logic as I am using in the checkOrigin trait (https://gitlab.com/communia/files_sharing_webapppassword/-/blob/main/lib/Controller/AccessControl.php#L25 ) .

One thing that will remain is how to define somewhere the automatic adding of preflighted OPTIONS route if cors is used...