Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable CORS on useful endpoints #10415

Closed
4 tasks
LukasReschke opened this issue Aug 14, 2014 · 8 comments
Closed
4 tasks

Enable CORS on useful endpoints #10415

LukasReschke opened this issue Aug 14, 2014 · 8 comments
Labels
enhancement security
Milestone
maybe some day

Comments

@LukasReschke
Copy link
Member

LukasReschke commented Aug 14, 2014
edited by DeepDiver1975
Loading

Regarding benweet/stackedit#122 (comment) we should create a list of APIs where we should enable CORS to allow third-party devs integrate with ownCloud. Feel free to add more:

  • OCS Share API (no private data)
  • WebDAV
  • CalDAV
  • CardDAV
@LukasReschke LukasReschke mentioned this issue Aug 14, 2014
Open
@LukasReschke
Copy link
Member Author

@jancborchardt @PVince81 @jfearn

@PVince81
Copy link
Contributor

Include OCS Share API
Exclude OCS Privatedata API until we have OAuth2 with more granular API permissions: an app should only be allowed to read/write its own data, not access other apps data

@jancborchardt
Copy link
Member

I added CalDAV and CardDAV (although they are not part of core).

cc @skddc @michielbdejong for remoteStorage.

@PVince81
Copy link
Contributor

Ideally oauth2 should be implemented first: #10400

@jancborchardt jancborchardt mentioned this issue Dec 11, 2014
Closed
@michielbdejong
Copy link
Contributor

So IIUC, the code for CORS was added to the middleware last May, but it was never actually activated on the OCS Share API?

That's what I understand from the discussion above, and also, I did a simple test against the API of the demo instance:

curl -I https://test:test@demo.owncloud.org/ocs/v1.php/apps/files_sharing/api/v1/shares

and got back no CORS headers.

(side note: there were actually some cookie headers on there which should be removed if/when switching to CORS)

@DeepDiver1975
Copy link
Member

So IIUC, the code for CORS was added to the middleware last May, but it was never actually activated on the OCS Share API?

ocs share api is not using app framework controllers - we cannot apply the cors middleware - yet

@DeepDiver1975 DeepDiver1975 modified the milestone: backlog Mar 21, 2015
@PVince81
Copy link
Contributor

PVince81 commented Sep 7, 2017

CORS was implemented with domain whitelisting here: #28457

@PVince81 PVince81 closed this as completed Sep 7, 2017
@lock
Copy link

lock bot commented Aug 2, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Aug 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement security
Projects
None yet
Milestone
maybe some day
Development

No branches or pull requests
5 participants
@PVince81 @michielbdejong @LukasReschke @jancborchardt @DeepDiver1975