Replying to Avatar ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ

the final boss in getting the blossom server on ORLY? working turns out to be CORS

Access to fetch at 'https://test.orly.dev/upload' from origin 'https://jumble.social' has been blocked by CORS policy: Request header field x-sha-256 is not allowed by Access-Control-Allow-Headers in preflight response.

Avatar
jimbocoin 🃏 1w ago 💬 1

IIRC, there’s a weird interaction where Chrome will reject your CORS request if you try to include credentials and the Access-Control-Allow-Origin is set to ‘*’.

To perform a credentialed CORS request, the header has to name an origin. So the workaround tends to be to accept an origin parameter somehow (URL parameter, request header), then, server side, use this value to populate the Access-Control-Allow-Origin header in your server response.

That way, the preflight succeeds enough to get to the actual request.

Reply to this note

Please Login to reply.

Discussion

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1w ago 💬 1

ah. well, i guess since that doesn't apply to nostr auth, but yes i bumped into that combo one time a ways back

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1w ago

oh yeah, and, it turned out it was something amiss with my reverse proxy `reverse` as well as related to the relay's http header handling. that plus the miserable internet speed i get here and the relay's sync doing crazy stuff...

was actually lots of fixes as well as getting the blossom working