CORS does not allow to get the object's headers

[mike-petrov]

Current Behavior

CORS does not allow to get the object's headers

Object shared link (/getobject):

• with cors:

• without cors:

[mike-petrov]

Only standard headers can be read from another domain, in our case we can't get custom object headers because of cors: https://web.dev/articles/introduction-to-fetch#response_types, but we can specify Access-Control-Allow-Origin parameter in backend for domain panel.fs.neo.org, @roman-khimov is this possible?

[roman-khimov]

I'm not excited about this idea. This REST gateway is supposed to be app-agnostic, not configured or even used for any specific application.

[mike-petrov]

Yes, I absolutely agree, but I had no other solutions. But today I thought that we can do the same as in send-fs-neo-org, that is through nginx to proxy the call to rest and this way we will get rid of cors and will address within the same domain:

• https://github.com/nspcc-dev/send-fs-neo-org/blob/master/src/api.ts#L53
• https://github.com/nspcc-dev/send-fs-neo-org/blob/master/README.md#nginx-config-example-on-the-production-server

This method works for send-fs-neo-org.

[roman-khimov]

That was my thought as well, but this breaks the simplicity of panel.fs.neo.org somewhat, it was using REST as is and it's mostly fine this way.

[roman-khimov]

Can Access-Control-Expose-Headers help us?

[mike-petrov]

Looks like something that should solve our problem, I've never seen it, maybe @532910 knows?