[annotator-dev] (no subject)
Randall Leeds
tilgovi at hypothes.is
Mon Apr 29 20:54:41 UTC 2013
I just opened https://github.com/okfn/annotator/issues/205 for this.
Originally, annotator probably had such a thing. Or annotator-store did.
Now, only annotateit and h and similar things actually implement the
token route.
In our case, I can change the token route to /api/token (I will commit
that in a moment) but it still doesn't help, because we don't enable
CORS on the token route. We do this because we don't need CORS for the
API token (we fetch it from the iframe) and I like this setup because
it makes it non-trivial for a site (or malicious code that's been
injected into a site somehow) to steal a user's API token (they would
have to find and exploit some hole in our cross-frame RPC).
You can either run the okfn/annotateit repository or add something
like the following to the token route in h while testing:
request = self.request
+ response = request.response
+ ac = 'Access-Control-'
+
+ response.headers[ac + 'Allow-Credentials'] = 'true'
+ response.headers[ac + 'Allow-Origin'] =
request.headers.get('origin', '*')
+ response.headers[ac + 'Expose-Headers'] = \
+ 'Content-Length, Content-Type, Location'
+
+ if request.method == 'OPTIONS':
+ response.headers[ac + 'Allow-Headers'] = \
+ 'Content-Length, Content-Type, X-Requested-With'
+ response.headers[ac + 'Allow-Methods'] = 'GET'
+ response.headers[ac + 'Max-Age'] = '86400'
On Sun, Apr 28, 2013 at 4:25 AM, Ed Summers <ehs at pobox.com> wrote:
> Oops,
>
> Subject: /api/token 404
>
> //Ed
>
> On Sun, Apr 28, 2013 at 7:23 AM, Ed Summers <ehs at pobox.com> wrote:
>> newbie question #2
>>
>> When I open the dev.html document in my browser with an
>> annotatore-store instance running on port 5000 I get an error:
>>
>> XMLHttpRequest cannot load http://localhost:5000/api/token. Origin
>> http://localhost:8080 is not allowed by Access-Control-Allow-Origin.
>>
>> I took a look in my annotator-store log and saw, that the request is a 404:
>>
>> INFO:werkzeug:127.0.0.1 - - [28/Apr/2013 06:55:34] "GET /api/token
>> HTTP/1.1" 404
>>
>> ... which unlike 200 OK requests doesn't get the CORS headers, and so
>> shows up as an cross-origin error:
>>
>> curl -I http://localhost:5000/api/token
>> HTTP/1.0 404 NOT FOUND
>> Content-Type: text/html
>> Content-Length: 238
>> Server: Werkzeug/0.8.3 Python/2.7.2
>> Date: Sun, 28 Apr 2013 11:13:44 GMT
>>
>> Is it the case that annotator-store isn't designed to be run by
>> itself, and needs to be used in the context of an other app that
>> handles authentication, like hypothesis/h or okfn/annotateit?
>>
>> //Ed
>
> _______________________________________________
> annotator-dev mailing list
> annotator-dev at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/annotator-dev
> Unsubscribe: http://lists.okfn.org/mailman/options/annotator-dev
More information about the annotator-dev
mailing list