Cross Origin issues when fetching a URL source that does not have 'Access-Control-Allow-Origin' set

Question

Cross Origin issues when fetching a URL source that does not have 'Access-Control-Allow-Origin' set

Bojak4616 opened this issue 7 years ago · comments

I think the easiest solution to this is asking the user to create a github gist to host their STIX json.

It doesn't fix the issue but unless their webserver allows Cross Origin requests there is no local way to fix this.

Jesse Buonanno · Answer 1 · Fri Oct 06 2017 22:17:46 GMT+0800 (China Standard Time)

As per a conversation with @clenk It looks like https://cors.io/ may be able to solve this issue. From what we can tell it scraps the desired website and runs its own web service that allows cross origin. This way you are able to get the desired JSON from any RAW JSON link.

An example would like like so https://oasis-open.github.io/cti-stix-visualization/?url=https://cors.io/?https://pastebin.com/raw/wCAs4ECd

The https://cors.io/? could be prepended internally if this is a route we choose to take.

@gtback Thoughts? Adding liability of another service, especially one that seems to not have a large backing behind it, might not be something we wish to do. However, it would enable JSON input from any external site.

Greg Back · Answer 2 · Sat Oct 07 2017 04:11:22 GMT+0800 (China Standard Time)

This application is temporarily over its serving quota. Please try again later.

Lol.

I don't think we should always prepend https://cors.io. Maybe we should just add a note (either always, or just when we detect a CORS error... if there's some way to do so).

Jesse Buonanno · Answer 3 · Mon Oct 09 2017 20:46:50 GMT+0800 (China Standard Time)

I like the second option, using the proxy if a CORS error was detected, I'll look at how to hook that error.

This application is temporarily over its serving quota. Please try again later.

Yiiiikes

Jesse Buonanno · Answer 4 · Tue Oct 10 2017 02:44:02 GMT+0800 (China Standard Time)

It's looking less and less that we should use https://cors.io.

When browsing to https://cors.io/?https://pastebin.com/raw/wCAs4ECd (Which contains some STIX I uploaded.) We are now greeted with

stolen content from pastebin.com. your request has been blocked! visit pastebin.com for the original content.

I'm a little confused as to why it would do this but it doesn't appear to be a longterm solution.

@gtback Do you think it's unreasonable to ask users to create a GitHub gist of the content they would normally host themselves? I understand the benefits of them hosting their own content but our functionality is limited using GitHub Pages.

I can look into using the GitHub API to create an anonymous gist of data pasted into the "parse" field and return it to the user, if that seems useful. Thoughts?

Greg Back · Answer 5 · Wed Oct 11 2017 02:31:19 GMT+0800 (China Standard Time)

No, for now let's just put a message in the "paste a URL" section that says something to the effect of "the server must allow cross-origin requests from github.io. You can use a gist if you need to host the content somewhere and don't have control over server headers".

If it's possible to detect that an AJAX call was rejected due to CORS it might be helpful to raise an error message rather than silently failing (as it seems to be doing now).

Jesse Buonanno · Answer 6 · Fri Oct 13 2017 02:52:24 GMT+0800 (China Standard Time)

Simple fix has been merged in PR #24