Bug #18244
closedCommons CORS Error
0%
Description
Via ZD:
I am a librarian at the Graduate Center Library and I also work on the library website. Since a site we use for the purpose has gone down permanently, I am reimplementing an RSS feed reader to ingest the posts on our Commons site. I have run up against a CORS error, and the simplest solution would be to do as this page suggests: https://bionicteaching.com/allowing-cross-origin-access-to-wordpress-feeds/
Is that possible? It would be very helpful.
Thanks,
Steve
Stephen Zweibel
Digital Scholarship Librarian
Updated by Boone Gorges over 1 year ago
- Status changed from New to Reporter Feedback
I'd be glad to explore a CORS exception for RSS feeds, but could I first get some more details? It would be helpful to know the specific Commons feed(s) that the third-party application is trying to ingest. And ideally, it would be great if I could see the URL where the ingesting will take place - eg, if it's a WordPress site with a widget that pulls in RSS items. That way, I could test the CORS headers myself.
Updated by Marilyn Weber over 1 year ago
He replies "
Zweibel, Stephen
May 17, 2023, 4:09 PM EDT
Hi,
Thanks for responding. It’s just me using JavaScript on an HTML file, so an AJAX call. We use GitHub Pages for our static site in order to not have to pay for a server. And the feed is:
https://gclibrary.commons.gc.cuny.edu/category/blog/website-front-page/feed/?fsk=5c1146bca3512
Something like this: https://levelup.gitconnected.com/javascript-basics-how-to-use-rss-to-retrieve-medium-articles-d9c4d7c10387
Or this: https://css-tricks.com/how-to-fetch-and-parse-rss-feeds-in-javascript/
Steve
Updated by Boone Gorges over 1 year ago
We use GitHub Pages for our static site in order to not have to pay for a server.
Do you have the application built already, and hosted on GitHub Pages? I can certainly write my own small application to mimic what you're doing, but it would be easier if I could use yours.
Updated by Marilyn Weber over 1 year ago
Sure, the Pages site is: https://gc-library.github.io/Mina-Rees-library-site/
and the repo is: https://github.com/GC-Library/Mina-Rees-library-site
you can see the code in static/js/utils.js and the error can be seen in the console: Access to fetch at 'https://gclibrary.commons.gc.cuny.edu/category/blog/website-front-page/feed/?fsk=5c1146bca3512' from origin 'https://gc-library.github.io' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
And actually I tried this 'no-cors' mode and it didn't work.
Thanks,
Steve
Stephen Zweibel
Digital Scholarship Librarian
CUNY Graduate Center
________________________
From: Marilyn Weber (CUNY Academic Commons) <support@cunycommons.zendesk.com>
Sent: Thursday, May 18, 2023 12:50 PM
To: Stephen Zweibel <szweibel@gc.cuny.edu>
Subject: [CUNY Academic Commons] Re: Commons CORS Error
Updated by Boone Gorges over 1 year ago
Thanks for providing this information. Rather than the wildcard header you suggested, I've introduced a specific exception for https://gc-library.github.io. For my reference, see the following in our root htaccess:
41 Header set Access-Control-Allow-Origin 'https://gc-library.github.io' 42 Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, User-Agent"
In my tests, the RSS importer at https://gc-library.github.io/Mina-Rees-library-site/ is now fetching items and logging them in the console.
Updated by Marilyn Weber over 1 year ago
Stephen Zweibel replies
I appreciate that, and the whitelisting makes sense. Could you also whitelist http://library.gc.cuny.edu/ ? Stephen Klein has a server that we're using at the moment. Thanks.
This approach does make testing the RSS on my own pc impossible, I think, so that is a downside. or I can use one of those (very sketchy) CORS-ignoring extensions like this one: https://chrome.google.com/webstore/detail/allow-cors-access-control/lhobafahddgcelffkeicbaginigeejlf
Updated by Boone Gorges over 1 year ago
- Target version set to 2.1.7
It looks like Apache doesn't have very good syntax for a complex whitelist, so I've moved this into a PHP function. CORS Origin restrictions should now be relaxed for all RSS requests. https://github.com/cuny-academic-commons/cac/commit/c2b276a4115012ee0c27f1ce73f4b9eae239ad54
Updated by Marilyn Weber over 1 year ago
Steve Z confirms that this work. I think this ticket can be closed now.