[annotator-dev] CORS Issue

Randall Leeds tilgovi at hypothes.is
Fri Oct 10 16:57:48 UTC 2014

On Oct 10, 2014 9:12 AM, "Robert Sanderson" <azaroth42 at gmail.com> wrote:
> This:  http://enable-cors.org/
> Or, TL;DR ... add a header to the response: Access-Control-Allow-Origin: *

If you're using the auth plugin you need to do more than this.

You just also allow credentialed requests and allow the
X-Annotator-Auth-Token header.

However, if you're using the annotator-store flask application it sets
these for you. You do not need to do anything with apache.

The only exception is that if you do implement authentication, you need to
provide a token route, which is not built in to annotator-store (although
the functions you need to do so are in the annotator.auth module).

Tell us about any questions you have if this is unclear.

There is documentation here:

If your token endpoint is on the same origin as the page you're annotating,
you don't have to worry about CORS there.

If you're trying to use the bookmarklet or some other way are hoping to
annotate pages on a different domain, you will need to set appropriate CORS
headers for the token route. I'd be happy to assist you further if that's
the case.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/annotator-dev/attachments/20141010/0af21445/attachment-0004.html>

More information about the annotator-dev mailing list