[libvirt] [PATCH 0/3] Ditch external JavaScript libraries

Daniel P. Berrangé berrange at redhat.com
Thu Jun 20 11:00:35 UTC 2019 

On Thu, Jun 20, 2019 at 10:04:03AM +0200, Martin Kletzander wrote:
> On Wed, Jun 19, 2019 at 06:24:36PM +0100, Daniel P. Berrangé wrote:
> > On Wed, Jun 19, 2019 at 05:22:56PM +0200, Martin Kletzander wrote:
> > > This is a response to all the discussions (mainly) other people had about all
> > > the JS code we're currently using, bundling, etc.
> > > 
> > > I would love some feedback on whether we can work on any of the solutions for
> > > getting rid of that external proxy.  We would have to:
> > > 
> > >  - either have our own proxy,
> > 
> > Ideally we'd not use any proxy imho
> > 
> 
> I agree with that.
> 
> > >  - send a 'Access-Control-Allow-Origin' header from the libvirt.org server to
> > >    allow fetching the atom.xml or
> > 
> > Can you elaborate on this ?  This is something we'd need to set on the
> > libvirt.org httpd config, to allow it to access atom.xml from the
> > planet.virt-toos.org server ?
> > 
> 
> The reason why we cannot fetch it directly is because of Same-origin policy [1]
> CORB (Cross-Origin Read Blocking).  In order to avoid XSS (Cross-site scripting)
> the page is only allowed to access Same-Origin URIs (there are exceptions, I'll
> get to that).  If a resource from different origin needs to be fetched, then the
> server side needs to be set up for CORS (Cross-Origin Resource Sharing [2]).
> With that the server sends the Access-Control-Allow-Origin (and other
> Access-Control-Allow-*) headers that will restrict what resources can the page
> load and how.  For our use case it would be enough to set these, I believe (as
> more restrictive is better):
> 
>  Access-Control-Allow-Origin: "https://planet.virt-tools.org"
>  Access-Control-Allow-Methods: "GET"

As discussed on irc, we actually needed the reverse. planet.virt-tools.org
web server needs to server these headers, allowing libvirt.org. I have now
got the planet.virt-tools.org apache configured todo this correctly I
believe, so please give it a try & let me know if anything else needs
changing on either httpd server.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list