Skip to main content

CORS preflight support for TiddlyWeb

Project description

A plugin for TiddlyWeb to support CORS pre-flight checks.

This is an experiment, with limited functionality. As test cases increase, functionality will increase.

To use add ‘tiddlywebplugins.cors’ to ‘system_plugins’ in tiddlywebconfig.py.

There are a few optional config settings:

If ‘cors.match_origin’ is True, then the value of the Origin header will be the value of the Access-Control-Allow-Origin header, on simple requests. On non-simple request, it always matches. If False the value is ‘*’ (on simple requests).

If ‘cors.allow_creds’ is True, then the Access-Control-Allow-Credentials header will be sent with a value of ‘true’, otherwise it will not be sent.

If ‘cors.exposed_headers’ is set, its should be a list of strings representing header names which are appended to the default Access-Control-Expose-Headers: ETag. This same list is used to set the default of Access-Control-Allow-Headers.

If ‘cors.enable_non_simple’ is True, preflight OPTIONS requests are handled. This defaults to False to avoid accidental exposure.

For authenticated cross-domain PUTs of resources the following config appears to be required:

‘cors.enable_non_simple’: True, ‘cors.allow_creds’: True, ‘cors.match_origin’: True,

The match_origin setting is required for the OPTIONS preflight requests to be handled effectively.

ToDo:

  • Blacklist/Whitelist processing of Access-Control-Request-Headers.

  • Auditing with someone else to confirm that this stuff is “correct”.

  • Refactoring of the two middlewares. There’s a fair bit of overlap. It could become just one that operates on both sides of the internal application, but I find that can be confusing.

Copyright 2012, Chris Dent <cdent@peermore.com>

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tiddlywebplugins.cors-0.3.tar.gz (9.4 kB view details)

Uploaded Source

File details

Details for the file tiddlywebplugins.cors-0.3.tar.gz.

File metadata

File hashes

Hashes for tiddlywebplugins.cors-0.3.tar.gz
Algorithm Hash digest
SHA256 2b639ef8c3b148778ff98a5c599d828bac14442bec39ccb68fbf1cc0d0649cca
MD5 79d213dee3fe6556665ea4dc88d8e67f
BLAKE2b-256 ae359394bd6603b5a1ffa4e9b1eed317a464714056bd741335e6e0e75d3c58c1

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page