Documentation For Whitelist Usage

[nonfungibletunji]

  # This list determines which outside domains can communicate with the AMS API.  Use '*' for wildcard.
  config.cors_whitelist = 'http://localhost:4200'

from the source code, how do i add my heroku app? Comma separated?

[hhff]

In most cases, you'll want to lock this to your environment ("localhost" for dev, "production.com" for prod), so I'd recommend passing it in from your secrets.yml or ENV.

I think there's some problems with actually listing multiple values (with the spec, not spree_ams, but I need to do some more research on that.

As it's an API anyway, its not bad practice to just do '*' and open it up to requests from anywhere.

[nonfungibletunji]

again placing it in the notebook

On Jun 23, 2015, at 10:36 AM, Hugh Francis [email protected] wrote:

In most cases, you'll want to lock this to your environment ("localhost" for dev, "production.com" for prod), so I'd recommend passing it in from your secrets.yml or ENV.

I think there's some problems with actually listing multiple values (with the spec, not spree_ams, but I need to do some more research on that.

As it's an API anyway, its not bad practice to just do '*' and open it up to requests from anywhere.

—
Reply to this email directly or view it on GitHub #22 (comment).

[hhff]

If you'd like to submit a PR documenting the feature a bit better, I'd love that!

[hhff]

Confirmed that:

There can only be one Access-Control-Allow-Origin response header, and that header can only have one origin value. Therefore, in order to get this to work, you need to have some code that:

Grabs the Origin request header.
Checks if the origin value is one of the whitelisted values.
If it is valid, sets the Access-Control-Allow-Origin header with that value.
I don't think there's any way to do this solely through the web.config.

Therefore, in its current iteration we can only accept a single value, or *

[hhff]

Made an issue to allow this: #24