Bug#974094: openpgpkey.debian.org: CORS header Access-Control-Allow-Origin missing
Package: www.debian.org
Severity: wishlist
Without CORS headers, Keyoxide can't use WKD at
https://openpgpkey.debian.org/.well-known/openpgpkey/hu/
Trying to load https://keyoxide.org/angdraug@debian.org
I get "TypeError: NetworkError when attempting to fetch resource." from the
page with the following message in Firefox Web Console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at
https://openpgpkey.debian.org/.well-known/openpgpkey/debian.org/hu/9x816kggqo951wj5pxew86uhk4greo7a.
(Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
A direct request to the URL above succeeds.
The keys served from under /.well-known/openpgpgkey/ are public information,
afaict there are no risks to serving a "Access-Control-Allow-Origin: *" header
in response to all GET requests to that path prefix.
Thank you,
--
Dmitry Borodaenko
Reply to: