I want to build a simple web app, running entirely in the browser (no backend), to analyze publicly available files from another domain. Well, CORS stands in the way 😄 Is there any way to work around it, other than having my own proxy server, and making users install browser extensions like this one? I know this is basically not kotlin but kotlin colored as CORS is a generic mechanism in the browsers, but if it matters: I already have a working PoC in Kotlin/Wasm, maybe Wasm has some kind of a secret toggle?

I don't know hacks around that. If the original host didn't set CORS rules that allow you to access the files, you may need to setup a proxy getting them - like a Cloudflare worker. But free tier is limited to 100k calls per day.

thanks for the idea with Cloudflare, this quota may be sufficient for my use case!

If both domains are under your control you may also make a Cloudflare proxy using CNAME. CORS only steps in and annoys if domains differ. For example my https://stefan-oltmann.de/oni-seed-browser gets data from https://data.mapsnotincluded.org ... CORS steps in and annoys. I'm working on making a proxy on https://data.stefan-oltmann.de just to drop all this CORS configuration stuff.

For example my https://stefan-oltmann.de/oni-seed-browser gets data from https://data.mapsnotincluded.org ...

CORS steps in and annoys.

sorry, I missed something - given the seed browser works fine, what's the secret here? I see the app lazily loads next items, but I don't see anything in the Network tab - do you use web sockets or sth?

No, the map database is 5 GB 😄

let me actually share what I'm trying to achieve here, to avoid XY communication problem: I want to create a tool where one would specify Maven artifacts of a given Java/Kotlin (JVM) library, and the tool would enumerate all versions along with Java bytecode version (+ in the future: Kotlin metadata version). It's messy like a PoC, but it works, at least for my lib (tried with other libs, has some minor toubles, probably because of bespoke KMP ZIP + inflate), see the code

It loads from https://data.mapsnotincluded.org/ & https://oni-worlds.stefanoltmann.de/ as a mirror. You should see the calls in the network tab. On both backends I set a CORS wildcard rule to make it work.

ah ok, so you control mapsnotincluded.org domain 🙂 that's what I've missed

Yes, the service that's running there at least.

I'll try it, I think they're pretty responsive when creating new Central accounts 😄

This is my "let me alone with that CORS shit" flag: https://github.com/StefanOltmann/oni-seed-browser-backend/blob/62662a3aba1f0a7f97f806690d0563feb5457497/src/main/kotlin/Routings.kt#L262

ok, a request to Sonatype sent, let's see what happens

Let me know what they respond. 🙂

> CORS is enforced by the browser, so in my view it's a relatively weak protection system. Well, the point of CORS is to stop third-party sites from making actions against your website using the user's credentials. Proxying to a different origin doesn't create a risk of actions being accidentally authentified to the user, so CORS is protecting as intended.

Was about to say that 🙂 It works well, just annoying when it gets in the way 🙂

@CLOVIS yeah, it's just weird to have CORS for resources that require no auth. But perhaps this way they're trying to cut off some traffic that the web apps with no backend (that are cheaper to create) might generate? Let's see what Sonatype responds, and how they justify their "no" (if it's a "no")

Thanks for sharing. I don’t think they were ever asked that question. With CORS, you have to explicitly allow it — if they haven’t set anything up on their end, it’s forbidden by default.

Very helpful. So indeed we don't need to set up our own CORS proxies. Nice.

oh, so there's an entire line of business here 😄

Indeed, some have pricing informations attached.