Hi Andy, I'm not knowledgeable enough with CORS to advise whether the configuration I shared should be shipped with all Fuseki2 downloads, applying to all URLs. There might be security caveats.
If I cared about security, I would align the URL patterns allowed for CORS with those I configured in shiro.ini, those that are public: what is public in shiro.ini should be allowed for CORS, to enable fellow developers to use my endpoint for their Web apps. In any case, I think adding a section in Fuseki2 documentation showing how to get CORS working (bases on the configuration I suggested) would be a good step forward, and may bring more people in the discussion. There would be a warning making clear that the default configuration may not be fit for production. I hope I gave a beginning of answer to your question :) Colin @CMaudry On 21/08/2015 21:14, Andy Seaborne wrote: > To push this forward, here's a JIRA proposing to add the setup Colin > gives: > > https://issues.apache.org/jira/browse/JENA-1014 > > Question: should this be in Fuseki when running as a war file in > Tomcat etc? I think the answer is "yes". > > Next question: Should this be added to all responses? HTML pages, /$/ > admin operations and dataset services? For the usual use cases, it > seems it should but is that always true? > > If this is the way to go, to produce a jetty-independent version for > the war file, then taking a clone of jetty's CrossOriginFilter is > needed - fortunately, that file explicitly syas it is dual licensed, > Eclipse and Apache. > > Andy > > On 19/07/15 18:39, Andy Seaborne wrote: >> Hi Colin, >> >> Thank you very much for writing this up. >> >> Andy >> >> On 15/07/15 18:24, Colin Maudry wrote: >>> Hello people, >>> >>> I did follow the instructions in the Jetty documentation, but that was >>> not very helpful, as it's very succint. >>> >>> After experimenting, I realized that we have to be quite explicit in >>> our >>> configuration. >>> >>> So I managed to have my Fuseki2 SPARQL endpoint accessible to a YASGUI >>> instance, doing this: >>> >>> https://github.com/YASGUI/YASGUI/issues/65#issuecomment-121673221 >>> >>> For the lazy ones: >>> >>> 1. Open |webapp/WEB-INF/web.xml >>> 2. Insert the following snipped before any other <filter> >>> | >>> >>> <!-- CORS filter--> >>> >>> <filter> >>> <filter-name>cross-origin</filter-name> >>> >>> <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class> >>> >>> <init-param> >>> <param-name>allowedOrigins</param-name> >>> <param-value>*</param-value> >>> </init-param> >>> <init-param> >>> <param-name>allowedMethods</param-name> >>> >>> <param-value>GET,POST,DELETE,PUT,HEAD,OPTIONS</param-value> >>> </init-param> >>> <init-param> >>> <param-name>allowedHeaders</param-name> >>> <param-value>Accept, Origin, X-Requested-With, >>> Content-Type, Last-Modified, Authorization</param-value> >>> </init-param> >>> <init-param> >>> <param-name>exposedHeaders</param-name> >>> >>> <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value> >>> >>> >>> </init-param> >>> </filter> >>> <filter-mapping> >>> <filter-name>cross-origin</filter-name> >>> <url-pattern>/*</url-pattern> >>> </filter-mapping> >>> >>> 3. Configure to your taste, but it works as-is. The key, compared to >>> what the documentation says, >>> is that you should configure the servers to return certain headers >>> that indicate CORS is enabled. >>> >>> Cheers, >>> Colin >>> >>> >>> On 02/06/15 17:52, Jeffrey Witt wrote: >>> >>> Hi, I just updated to Fuseki2 from Fuseki1. With Fuseki1 I was enjoying >>> the enabled *CORS* support, especially important for javascript only, >>> single page apps. >>> >>> But, as I¹ve gleaned from this post: >>> https://issues.apache.org/jira/browse/JENA-652 *CORS* is not enabled by >>> default for Fueski2. I wonder if it is now possible to enable *CORS* >>> for >>> Fueski2. If so could someone guide me through the enabling process. >>> >>> (I have little to no experience with writing in Java, so I might need >>> detailed instructions). >>> >>> Thanks in advance. jw >>> >>> Hi there, >>> >>> You'r right - *CORS* is not enabled in Fuseki2. It would eb re >>> >>> if you are deploying Fuseki2 with the standalone server jar >>> (fuseki-server.jar), not the WAR file, you can follow the instructions >>> for Jetty [1] to enable it (no Java required, editing web.xml is >>> required). >>> >>> The web.xml file is in webapp/WEB-INF/web.xml of what usually >>> FUSEKI_HOME >>> >>> The war file can also be done - it needs unpacking, changing web.xml >>> and >>> repacking. >>> >>> ----------- There's machinery in Fuseki2 for this (and a request >>> routing >>> problem - now being fixed). >>> >>> What would help me is someone with experience to advise what the >>> headers >>> should be for the various options and especially whether one choice of >>> settings is good for everyone or whether this needs configuration in >>> some way. Even if the latter, what is the best out-of-the-box settings? >>> >>> If it is one universal set of settings, is better (safe) to do in >>> Fuseki2 or, for example when running in Tomcat, should Tomcat do it? >>> >>> Andy >>> >>> [1] >>> http://www.eclipse.org/jetty/documentation/current/cross-origin-filter.html >>> >>> >>> >>> >> >
