On Thu, Jun 20, 2019 at 10:04:03AM +0200, Martin Kletzander wrote: > On Wed, Jun 19, 2019 at 06:24:36PM +0100, Daniel P. Berrangé wrote: > > On Wed, Jun 19, 2019 at 05:22:56PM +0200, Martin Kletzander wrote: > > > This is a response to all the discussions (mainly) other people had about all > > > the JS code we're currently using, bundling, etc. > > > > > > I would love some feedback on whether we can work on any of the solutions for > > > getting rid of that external proxy. We would have to: > > > > > > - either have our own proxy, > > > > Ideally we'd not use any proxy imho > > > > I agree with that. > > > > - send a 'Access-Control-Allow-Origin' header from the libvirt.org server to > > > allow fetching the atom.xml or > > > > Can you elaborate on this ? This is something we'd need to set on the > > libvirt.org httpd config, to allow it to access atom.xml from the > > planet.virt-toos.org server ? > > > > The reason why we cannot fetch it directly is because of Same-origin policy [1] > CORB (Cross-Origin Read Blocking). In order to avoid XSS (Cross-site scripting) > the page is only allowed to access Same-Origin URIs (there are exceptions, I'll > get to that). If a resource from different origin needs to be fetched, then the > server side needs to be set up for CORS (Cross-Origin Resource Sharing [2]). > With that the server sends the Access-Control-Allow-Origin (and other > Access-Control-Allow-*) headers that will restrict what resources can the page > load and how. For our use case it would be enough to set these, I believe (as > more restrictive is better): > > Access-Control-Allow-Origin: "https://planet.virt-tools.org"; > Access-Control-Allow-Methods: "GET" As discussed on irc, we actually needed the reverse. planet.virt-tools.org web server needs to server these headers, allowing libvirt.org. I have now got the planet.virt-tools.org apache configured todo this correctly I believe, so please give it a try & let me know if anything else needs changing on either httpd server. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
