Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS policy issue with Kanboard API and Axios #5522

Open
e-labInnovations opened this issue Jul 28, 2024 · 2 comments
Open

CORS policy issue with Kanboard API and Axios #5522

e-labInnovations opened this issue Jul 28, 2024 · 2 comments
Labels
wish list

Comments

@e-labInnovations
Copy link

When trying to use the Kanboard API with Axios from a different origin (e.g., http://localhost:8081), I encounter a CORS policy issue. The browser blocks the request due to the absence of the Access-Control-Allow-Origin header in the response from jsonrpc.php.

Error Message:

Access to XMLHttpRequest at 'http://kanboard.local/jsonrpc.php' from origin 'http://localhost:8081' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Proposed Solution:

To solve this issue, I suggest adding the following headers to jsonrpc.php:

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST');
header("Access-Control-Allow-Headers: X-Requested-With, authorization, content-type");

kanboard/jsonrpc.php

Lines 1 to 5 in bc2d336

<?php
require __DIR__.'/app/common.php';
echo $container['api']->execute();

The change look like this

 <?php 
  
 require __DIR__.'/app/common.php'; 
  
  header('Access-Control-Allow-Origin: *');
  header('Access-Control-Allow-Methods: GET, POST');
  header("Access-Control-Allow-Headers: X-Requested-With, authorization, content-type");

 echo $container['api']->execute();

Security Considerations:

Before adding these headers, I'd like to discuss potential security implications. Are there any concerns with allowing cross-origin requests from any domain (*)? Should we restrict the allowed origins to specific domains or implement additional security measures?

Please let me know if this draft issue meets your requirements or if you'd like me to make any changes!
@fguillot
Copy link
Member

Ideally, this feature should be configurable with at least 2 options:

  1. One option to enable the CORS headers (disabled by default)
  2. Another option to change the value of Access-Control-Allow-Origin (the default value can be *)

Regarding the HTTP headers, Access-Control-Max-Age could be added as well. For example, setting Access-Control-Max-Age: 3600 can reduce the number of preflight requests.

This logic could be implemented in a middleware instead of changing jsonrpc.php. There is an existing class Kanboard\Api\Middleware\AuthenticationMiddleware. Another middleware CORSMiddleware could be added.

@fguillot
Copy link
Member

fguillot commented Jul 30, 2024
edited
Loading

Updating jsonrpc.php is fine too if adding a new middleware is overkill. Another possibility is to update the vendored library lib/jsonrpc. The important part is to make it configurable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wish list
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fguillot @e-labInnovations