Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
env var for controling allowed origins ?
See original GitHub issueHi,
We have a scenario were we want to use table data from within another application (a map) served from another domain than our Grist domain.
I’ve first tried to add CORS headers in the Treafik proxy, but then I hit a check in grist-core. So I’ve discovered that there is a small CORS management in Grist, great! 😃
I understand that the API keys are “full powered” at this time, so exposing them in an application may be quite risky. But it seems that if the document is “public access: on”, we can get the data through the API without a key (not totally sure about this point, though).
So, a suggestion would be to add an (optional) env var GRIST_ALLOWED_HOSTS to allow more hosts.
Does that make sense ?
Thanks for your inputs,
Yohan
Issue Analytics
- State:
- Created a year ago
- Comments:7 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
The ability to set a list of allowed origins on a per-document basis would definitely be useful, and Document Settings would be a good place for it. For self-managed Grist, an optional
GRIST_ALLOWED_HOSTSenvironment variable that enumerates a set of trusted sites associated with the entire installation also makes sense. Since the environment variable is much easier to implement, and an immediate need for you, I agree @LouisDelbosc that it is a good place to start.I think it would be helpful if the environment variable functioned like the existing
ALLOWED_WEBHOOK_DOMAINSvariable, which is a comma-separated list of domains that may be used in webhooks (e.g.webhook.site,zapier.com). In that case, subdomains of the listed domains are permitted, and I think that would be desirable here too for consistency.It would be nice setting a list of allowed origins on a per-document basis.
It would allow things like adding a record to Grist (including hosted Grist) directly from a form on a webpage (using some Javascript). There is a risk that it would tempt people to put sensitive API keys into pages, which we should discourage as much as possible. But it would be legitimately useful for unauthenticated requests, since you could make a Grist document public and use granular access rules to limit what unauthenticated requests can do.