Bug#974094: openpgpkey.debian.org: CORS header Access-Control-Allow-Origin missing

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#974094: openpgpkey.debian.org: CORS header Access-Control-Allow-Origin missing
From: Dmitry Borodaenko <angdraug@debian.org>
Date: Mon, 9 Nov 2020 12:26:19 -0800
Message-id: <[🔎] 20201109202619.GA31647@localhost>
Reply-to: Dmitry Borodaenko <angdraug@debian.org>, 974094@bugs.debian.org

Package: www.debian.org
Severity: wishlist

Without CORS headers, Keyoxide can't use WKD at
https://openpgpkey.debian.org/.well-known/openpgpkey/hu/

Trying to load https://keyoxide.org/angdraug@debian.org
I get "TypeError: NetworkError when attempting to fetch resource." from the
page with the following message in Firefox Web Console:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at
https://openpgpkey.debian.org/.well-known/openpgpkey/debian.org/hu/9x816kggqo951wj5pxew86uhk4greo7a.
(Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

A direct request to the URL above succeeds.

The keys served from under /.well-known/openpgpgkey/ are public information,
afaict there are no risks to serving a "Access-Control-Allow-Origin: *" header
in response to all GET requests to that path prefix.

Thank you,
-- 
Dmitry Borodaenko

Reply to:

Prev by Date: Processed: Re: Changelogs of 'linux' package in stretch+buster are 404
Next by Date: Bug#965326: Changelogs of 'linux' package in stretch+buster are 404
Previous by thread: Processed: Re: Changelogs of 'linux' package in stretch+buster are 404
Next by thread: Bug#965326: Changelogs of 'linux' package in stretch+buster are 404
Index(es):
- Date
- Thread