Spec should have .well-known/(atproto-did|did.json) require CORS headers #2281
Replies: 1 comment 1 reply
-
|
This makes sense to me, and I think we should definitely encourage/recommend this as a best practice. I'm not sure if we should make it a hard requirement ("SHOULD" vs "MUST"). Does a server implementation consider a handle invalid if the For did:web, it seems like we can recommend behavior, but in terms of requirements should follow the upstream specification (I haven't looked this up yet). There already exist a large set of potential CORS proxies, in the form of PDS instances and Relays, which could (or already do) have open Of course, if it isn't a "MUST", then adoption can't be guaranteed, and browser-based resolvers would see a different network from a non-browser-resolver, so the gains of declaring this a "best practice" could be mixed. |
Beta Was this translation helpful? Give feedback.
-
|
i think you make a good point with DoH - until you can do fully recursive dns on the browser, requiring CORS headers from these won't change much |
Beta Was this translation helpful? Give feedback.
-
Is your feature request related to a problem? Please describe.
Browser based atproto clients should be able to resolve handles, however CORS prevents it when did:web, or HTTPS based handle resolution is used, and CORS headers are not sent.
Describe the solution you'd like
Requiring CORS headers for these files in the spec would make sure this is the case.
Describe alternatives you've considered
Having clients run CORS proxies would work, but puts unnecessary load and effort on client developers.
Beta Was this translation helpful? Give feedback.
All reactions