Hacker News new | ask | show | jobs
by capableweb 1863 days ago
I think these are meant for development setups, which you normally run in a localhost context, meaning you most likely won't have to deal with CORS.

But, if you still need it, the http-server program has a --cors flag to enable wildcard CORS.
2 comments
hmsimha 1863 days ago
You could still want CORS if, for example, you're testing a front-end service that typically calls out to a remote resource. Maybe you typically deploy both same-origin in production, but for dev you want to be able to feed it some specific data. In this case a different port would require CORS.

There are lots of ways around this (put the files in your static folder, embed it into the file you're debugging, use a library which provides mock data, probably more), but it's not inconceivable to just want to be able to point the 'api' configuration param to localhost on a different port so you can just feed it json files from a directory that already has the data you want.

link
capableweb 1862 days ago
No, you misunderstand how CORS works. CORS (the allowance of CORS to be precise) is up to the server you're request data from, not your own local instance.

So if you're hosting a frontend, you can use whatever you want to host that frontend. It's up to the backend you're connecting to, to set the right headers to allow your quests. Then you're no longer using static file servers (probably) but rather some custom built/framework where you can easily set the headers you want.

link
hmsimha 1862 days ago
I don't think I am.

If I'm testing a react app on localhost:3000, and it normally calls out to an api of mine also, I may want to feed it some dummy data. Let's say I use python http.serve on port 5000 in a directory with files in a subdirectory `api` with files `users` and `posts` (which contain JSON data representative of the API response). I then set my react app to use localhost:5000 as the api.

The react app will then make the requests to the api such as `localhost:5000/api/users` and `localhost:5000/api/posts`. The server will respond with the data; however, if the header `Access-Control-Allow-Origin: http://localhost:3000` isn't set, the browser will block this data (probably? unless there are exceptions for localhost)

link
henearkr 1863 days ago
Thanks!! I'll try it again, the last time I did I thought it was not allowing the right setting, but yeah a wildcard CORS should be enough of course.
link
pixl97 1863 days ago
>but yeah a wildcard CORS should be enough of course.

You mean that isn't the production default?

/s

link