CORS does not allow to get the object's headers #121

Closed
opened 2025-12-28 18:07:10 +00:00 by sami · 7 comments
Owner

Originally created by @mike-petrov on GitHub (Dec 11, 2024).

Originally assigned to: @532910 on GitHub.

Current Behavior

CORS does not allow to get the object's headers

Object shared link (/getobject):

  • with cors:
    image

  • without cors:
    image

Originally created by @mike-petrov on GitHub (Dec 11, 2024). Originally assigned to: @532910 on GitHub. ## Current Behavior `CORS` does not allow to get the object's headers Object shared link (`/getobject`): - with cors: <img width="600" alt="image" src="https://github.com/user-attachments/assets/42bcc3a8-00bc-40bd-87f4-97d1efbf3453"> - without cors: <img width="600" alt="image" src="https://github.com/user-attachments/assets/519a3b98-9b17-42f1-9630-aacd40b5113d">
sami 2025-12-28 18:07:10 +00:00
  • closed this issue
  • added the
    S4
    bug
    U2
    I4
    labels
Author
Owner

@mike-petrov commented on GitHub (Dec 11, 2024):

Only standard headers can be read from another domain, in our case we can't get custom object headers because of cors: https://web.dev/articles/introduction-to-fetch#response_types, but we can specify Access-Control-Allow-Origin parameter in backend for domain panel.fs.neo.org, @roman-khimov is this possible?

@mike-petrov commented on GitHub (Dec 11, 2024): Only standard headers can be read from another domain, in our case we can't get custom object headers because of cors: https://web.dev/articles/introduction-to-fetch#response_types, but we can specify `Access-Control-Allow-Origin` parameter in backend for domain panel.fs.neo.org, @roman-khimov is this possible?
Author
Owner

@roman-khimov commented on GitHub (Dec 11, 2024):

I'm not excited about this idea. This REST gateway is supposed to be app-agnostic, not configured or even used for any specific application.

@roman-khimov commented on GitHub (Dec 11, 2024): I'm not excited about this idea. This REST gateway is supposed to be app-agnostic, not configured or even used for any specific application.
Author
Owner

@mike-petrov commented on GitHub (Dec 12, 2024):

Yes, I absolutely agree, but I had no other solutions. But today I thought that we can do the same as in send-fs-neo-org, that is through nginx to proxy the call to rest and this way we will get rid of cors and will address within the same domain:

This method works for send-fs-neo-org.

@mike-petrov commented on GitHub (Dec 12, 2024): Yes, I absolutely agree, but I had no other solutions. But today I thought that we can do the same as in [send-fs-neo-org](https://github.com/nspcc-dev/send-fs-neo-org/), that is through nginx to proxy the call to rest and this way we will get rid of cors and will address within the same domain: - https://github.com/nspcc-dev/send-fs-neo-org/blob/master/src/api.ts#L53 - https://github.com/nspcc-dev/send-fs-neo-org/blob/master/README.md#nginx-config-example-on-the-production-server This method works for send-fs-neo-org.
Author
Owner

@roman-khimov commented on GitHub (Dec 12, 2024):

That was my thought as well, but this breaks the simplicity of panel.fs.neo.org somewhat, it was using REST as is and it's mostly fine this way.

@roman-khimov commented on GitHub (Dec 12, 2024): That was my thought as well, but this breaks the simplicity of `panel.fs.neo.org` somewhat, it was using REST as is and it's mostly fine this way.
Author
Owner

@roman-khimov commented on GitHub (Jan 3, 2025):

Can Access-Control-Expose-Headers help us?

@roman-khimov commented on GitHub (Jan 3, 2025): Can `Access-Control-Expose-Headers` help us?
Author
Owner

@mike-petrov commented on GitHub (Jan 13, 2025):

Looks like something that should solve our problem, I've never seen it, maybe @532910 knows?

@mike-petrov commented on GitHub (Jan 13, 2025): [Looks](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers) like something that should solve our problem, I've never seen it, maybe @532910 knows?
Author
Owner

@mike-petrov commented on GitHub (Jul 23, 2025):

added Access-Control-Expose-Headers by @532910

@mike-petrov commented on GitHub (Jul 23, 2025): added `Access-Control-Expose-Headers` by @532910
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
nspcc-dev/panel-fs-neo-org#121
No description provided.