Plumber: Don't allow-origins * by default

Created on 19 Jul 2017 · 5Comments · Source: rstudio/plumber

Currently Plumber defaults to provide a Access-Control-Allow-Origin=* HTTP header unless it's overridden. This opens Plumber APIs up to be requested from a browser from any origin when the request is a simple GET, HEAD, or POST using the standard HTTP headers.

This should be backed down from unless the user opts-in to permissive CORS behavior.

bug

Source

trestletech

Most helpful comment

Your script needs to look like this:

```r

* @filter cors

cors <- function(res) {
res$setHeader("Access-Control-Allow-Origin", "*")
plumber::forward()
}

* @get /protected

protected <- function(adresse) {
...
}

joelgombin on 11 Oct 2017

👍4

All 5 comments

I'm not sure this is the right place to ask, but I need to opt-in to a permissive CORS behavior, allowing a cross-origin request, but I'm not sure how to do that.
Following https://github.com/trestletech/plumber/issues/66, I've added this to my plumber.R file:

#* @filter cors
cors <- function(res) {
  res$setHeader("Access-Control-Allow-Origin", "*")
  plumber::forward()
}

And then this before my endpoints:

#* @preempt cors
#* @get /protected
protected <- function(adresse) {
...
}

but, as per http://resttesttest.com/, the request is still blocked when requested from the browser.
Could you point me to a way to fix this?
Thanks!

joelgombin on 3 Sep 2017

👍1

OK, don't worry, I've understood that I need to remove the @preempt lines.

joelgombin on 3 Sep 2017

Hi,
I currently have the same issue as @joelgombin. I also have followed what in #66 is explained but I can not avoid the CORS error. What do you mean when you (@joelgombin) say "I need to remove the @preempt lines"? Could you put the same example but working?

Thank You beforehand