I have a vue-js app that is bundled together with webpack yes, I keep that in a separate folder and serve that folder as a static asset. What happens when CORS is not enabled at all? When it is not I can use relative paths but I cannot let another host call the server from javascript (which makes sense, that is how it should be) but when I enable CORS to give access to my javascript host, why is the self hosted javascript site then denied access? Do you have something I can look at concerning the webpack issue?

If served as static content, it shouldn’t be affected. I think webpack tweaks headers if it acts as a proxy, but I’m not sure.

I can put together a GitHub issue with a minimal example to produce the issue, would that be of help?

Doesn't AWS have it's own CORS? Shouldn't it be configred separately ?

I may very way have this the wrong way, but don’t I need to enable CORS on the server to allow an external javascript client to do requests? I have not fully grasped what is going on, but it works if I allow the host on the server side via CORS. Or do I need to fiddle with CORS on S3? To me currently that is only if I want another js client to access what is on the S3 bucket riiiiight? 😄

If you don't use webpack server then how do you get multiple ports? some kind proxy?

I run my ktor server on port 5000, just when developing do I run a webpack development server on port 8080, that is not really a problem, I want it to work when deployed

do static and ktor server run separately on AWS?

yes

AWS does proxy so this could be a reason

or no sorry, static run on the same server, same ec2 instance

most likely they run on different ports

I have two spas, one that is hosted as a static asset (it is a dashboard for the server) and then I have an actual front end app that is hosted on S3, also a spa

I believe I do

Again, if I do not care about CORS at all, the ec2 instance with ktor running works fine with its staticly hosted spa, it can do requests against itself fine

could you please show me exact HTTP request details from browser's developer's console ?

Ktor responds with 403 when the self hosted spa tries to make requests

Yes, it would be very helpful to see more details: request and headers and response

CORS is “installed” to make another js client work -> same requests is a 403

It is important to notice which

Origin

does it actually sends

I sent pictures in #ktor just now

I see. I believe we can add configurable same-origin logic to ktor as the specification doesn't forbid to do so

Hmm okay, so what is happening right now, it seems like the standard behavior is overriden when enabling CORS, when to me CORS should just be an addition, not changing what already works without it, what is happening?

well, it shouldn't be just an addition but a different behaviour described by the specification that doesn't require to always pass same-origin requests but makes it optional

The default configuration to the CORS feature handles only GET, POST and HEAD HTTP methods and the following headers:

Is to be read in the documentation. I get a 403 from anything that is not that even on my own host 😕 I have to explicitly declare everything to get the old behavior back. Is that to be expected? What change do you propose and what can I do now, it seems like I have to explicitly declare the AWS elastic beanstalk host adress as well now to get PUT requests to work. I just want the statical asset js client to be able to do whatever it wants, just like before

Yes, exactly. I am going to introduce option

allowSameOrigin

. The only question is what default value it should have: should we allow same-origin requests by default or not

Okay, make sense, I probably know to little about CORS to be able to provide my opinion on that. To a noobie like me, enabling CORS is like enabling a protocol that enables external js clients to fire requests at your server, and you can then config which hosts should be able to do that. So to me it should allow same origin as default since it to me has little to do with what you enabled CORS for. If you by any chance have a js client hosted on the same origin I can not see a situation where you would want to choke that.

It depends on

Origin

header: when it is missing then it will be always passed

Ahaaa, I see. So it is

axios

fault? 😄

The other issue is that even if I allow same-origins, CORS will still block not-allowed http methods and headers

And why does it all work when CORS is not enabled? Because the default is to not allow external js clients to reach your server right? That is why CORS exists? If I don’t enable CORS my static asset spa works fine but my external js client cant fire requests against ktor. If I enable CORS I get this problem, the external js client can then do whatever request it wants, according to the config I allow, but not the self hosted spa. How do I get both to work with ktor 0.9.1 tonight? 😄

You need to add "localhost:5000" and "yourdomain" to the list

I have added

localhost:5000

and allowed PUT and DELETE. It works locally but when deployed to AWS EB it doesnt work. It seems like I need to add

<http://XXX.region.elasticbeanstalk.com|XXX.region.elasticbeanstalk.com>

as well. Why is that needed, shouldn’t localhost be enough?

No, domain-comparison is quite strict