slotain
Minnow
It's bigger than a regular hat. It's funny.
Posts: 18 
|
Post by slotain on Nov 8, 2021 16:37:42 GMT
Is it typical that an implementation of a Redfish service include CORS?
The use case for this is when you're writing a website (see Swordfish-basic-web-client) and you'd like to access a Redfish service that isn't on the same server that serves the web pages, then the Redfish service has to allow enable CORS to ensure that a user's browser can send AJAX requests and successfully retrieve the data. - Is CORS something people typically enable on a Redfish service? It seems reasonable to allow any sort of client (especially one written using HTML/JavaScript) to access the Redfish service.
- What are the security concerns for enabling CORS on the Redfish service? I would consider allowing '*', which allows any server to write a web client front end that consumes a Redfish service -- is this a poor security practice? I'll come back and report on this one.
|
|
|
|
Post by mraineri on Nov 12, 2021 13:55:50 GMT
I have not seen anyone implement CORS to date, so it's not typical at the moment. We certainly allow for it and have envisioned use cases like you've described.
Unfortunately I'm not too fluent in the security nuances of CORS to be of much help with your second question.
|
|
|
|
Post by AMI_Mani on Mar 27, 2023 17:35:14 GMT
Hi, We are seeing below details for Access-Control-Allow-Origin Header in response and it's required to provide in response as per Redfish specification(Section 8.1 Response Headers) ![]()  When we checked fetch.spec.whatwg.org/#concept-header, allowed values were null, * 3.2.3. HTTP responses
An HTTP response to a CORS request can include the following headers:
`Access-Control-Allow-Origin`
Indicates whether the response can be shared, via returning the literal value of the `Origin` request header (which can be `null`) or `*` in a response.Do we need to provide Access-Control-Allow-Origin Header in response? can we use Access-Control-Allow-Origin value as * if required to provide in response? Thanks, Mani |
|
|
|
Post by mraineri on Mar 27, 2023 17:52:46 GMT
By the letter of the spec today, yes, you technically need to support it. However, I don't see how that's useful unless you specifically support CORS. We may need to review this further and update the spec.
|
|
|
|
Post by AMI_Mani on Mar 28, 2023 3:59:24 GMT
Thanks for the reply. Please review and update specification to confirm whether Access-Control-Allow-Origin Header is required in response mandatory or not
Thanks,
Mani
|
|
