So, right now, electron/chromium etc have CORS enabled. Which means the SAFE browser does too.
It’s a method of limiting what domains scripts can fetch data from on the clearnet.
Recently @latch came upon some CORS issues fetching content via the native browser
To get around it, we’ve basically a branch which is permissive in terms of CORS. The pseudo-server we use for managing HTTP responses will return with
Access-Control-Allow-Origin: *. So any safe site can access the data.
This is in line with the fact that, currently, any safe site could access that same data via the
safe.fetch api anyway.
So it seems no harm done?
That’s really my question here. OR something I’d like to properly consider. Do we want/need CORS in a SAFE Browser?
As above. CORS is ostensibly about limiting data access to certain domains (afaik). But on SAFE anything public should be just that. So in that sense, CORS goes against our SAFE ideals.
Also, in terms of limiting data access, we have other data types. So theoretically if we want to limit data access to certain sites/apps, we’re free to do that.
Does anyone see any issue with the above? Anything I’m missing here?
If not, it’s a tiny wee fix to get merged into the browser.
If we do want something CORS like, well we should probably be looking to implement that functionality for
Anyway, would be grand to hear some thoughts on that.