Setting `access-control-allow-origin` header does not work

Developers
1

:wave:
When using http_request to serve content it occurred to me that when i try to set the access-control-allow-origin through the headers it can’t be changed and always default to *.

i tried changing;

  • changing order
  • upper- / lowercase
  • changing the value

Other headers are set as expected;

let headers = vec![
    HeaderField("content-type".to_string(), "image/png".to_string()),
    HeaderField("accept-ranges".to_string(), "bytes".to_string()),
    HeaderField("content-length".to_string(), size.to_string()),
    HeaderField("david".to_string(), "does_it_work".to_string()),
    HeaderField("access-control-allow-origin".to_string(), format!("https://{}.raw.ic0.app", id().to_string())),
];

image
image1156×682 68.9 KB

What can cause this? and how can i fix it? :slight_smile:

2

It looks like you’re using the raw endpoints.

There is explicit config in nginx to force those access control headers, see:
https://github.com/dfinity/ic/blob/master/ic-os/boundary-guestos/rootfs/etc/nginx/includes/cors.conf#L1

We’re discussing if it makes sense to have these set for raw.
On one hand it doesn’t necessarily make sense for that header to be there for raw on the other hand, if we remove it there’s a good chance it will break canisters that rely on those headers being there…

1 Like
3

Thanks for the quick response, and yes i’m. using raw endpoints for this.

Wouldn’t it be possible to set them by default but let them be overridden, so exisiting canister won’t break?