CORS violation when using REST API #84
Comments
|
@dblezek Thanks for the detailed report. @cpatrick @jamiesnape Would it help to update the latest version of Midas ? |
|
No and streaming is not an option in general. Do we need to support using a browser to make API calls? What is the use case? |
|
@jamiesnape Working on a browser based viewer for Slicer MRB files. One of the use cases would be to have a list of available MRB files from MIDAS, and click load. This works fine if you download the MRB and then drag it onto the page, but CORS does not let the data be fetched from MIDAS. Perhaps you could include CORS headers to be enabled for all downloads? Not sure why you couldn't send the file directly from http://slicer.kitware.com/midas3/rest/bitstream/download/{id} without the redirect. The REST API lead me to believe it was possible... |
|
@dblezek Let me investigate and I will get back to you with a solution. |
We probably could, however the redirect isn't the issue here since it's just redirecting to the same origin (http://slicer.kitware.com). It's the XHR from your origin to slicer.kitware.com that is causing the CORS. In any case, we should expose instance-level settings for CORS headers to allow from cross origin XHR like in this case. @jamiesnape you may be able to borrow some logic in that regard from the way girder does this: girder/girder#580 |
|
Sorry, meant this PR girder/girder#549 |
|
@zachmullen, the redirect is the problem. The /rest/bitstream/download/{id} returns with a nice The last request does not have the REST Call:
non-REST Call:
|
|
Interesting, thanks for the info -- I was unaware that part of MIDAS was sending permissive CORS headers and part was not. Definitely strange behavior that should be fixed. :) |
|
So it turns out that in /library/REST/Controller/Plugin/RestHandler.php, we have: public function dispatchLoopStartup(Zend_Controller_Request_Abstract $request)
{
// ...
// Cross-Origin Resource Sharing (CORS)
// TODO: probably should be an environment setting?
$this->_response->setHeader('Access-Control-Max-Age', '86400');
$this->_response->setHeader('Access-Control-Allow-Origin', '*');
$this->_response->setHeader('Access-Control-Allow-Credentials', 'true');
$this->_response->setHeader('Access-Control-Allow-Headers', 'Authorization, X-Authorization, Origin, Accept, Content-Type, X-Requested-With, X-HTTP-Method-Override');
// ...
} |
|
Looking deeper, there are a lot of issues with the code in the REST_ namespace. |
|
Thanks for looking into it. Much appreciated. |
|
Yes, thanks! |
|
I will try to get a fix in for the version 3.4 release. |
|
@jamiesnape or @zachmullen Any progress? Would love to integrate Midas into my project. thanks |
|
@dblezek No progress, I am afraid. There will be some refactoring related to the REST_ namespace in 3.4.1, but I do not have an ETA yet. |
I would like to use the REST api to request data from MIDAS3, all works well
until I ask for the contents of a bitstream using this URL:
http://slicer.kitware.com/midas3/rest/bitstream/download/206209?token=z1Fox3UzXORN4BJUfoGH08ZN94Hsb8zCfWmqJDXa
MIDAS re-directs outside the /rest, CORS-aware section of MIDAS to
http://slicer.kitware.com/midas3/rest/bitstream/download/206209?token=z1Fox3UzXORN4BJUfoGH08ZN94Hsb8zCfWmqJDXa&appname=mrml-drop&email=daniel.blezek%40gmail.com&apikey=uO0824aTAB7SUhnMQoQYzXxtx2lM1jXt5GwcX1lO
and Firefox unceremoniously pukes with a CORS warning:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at
http://slicer.kitware.com/midas3/download/?bitstream=206209&offset=0&name=DWIVolume.mrb&authToken=z1Fox3UzXORN4BJUfoGH08ZN94Hsb8zCfWmqJDXa.
This can be fixed by moving the resource to the same domain or enabling CORS.
Would it be possible to stream directly rather than redirect? The browser can
display without problem, but XMLHttpRequest objects can't.
Thanks,
-dan
The text was updated successfully, but these errors were encountered: