I want to set the allow_origin to a sub domain, for example app.example.com where the Plone site is running on example.com. The plone.rest package provides a zcml setting for that, but i don't see any allow_origin headers after adding this setting as described in the docs:
What do I miss here?
@datakurre @ramon @tisto any ideas?
To make it clear what i did, here my configuration, which I added to the instance part in the buildout config:
zcml-additional =
<configure xmlns="http://namespaces.zope.org/zope"
xmlns:plone="http://namespaces.plone.org/plone">
<plone:CORSPolicy
allow_origin="http://localhost:4300,http://127.0.0.1:4300,http://localhost:3000,http://127.0.0.1:3000,http://app.example.lan"
allow_methods="DELETE,GET,OPTIONS,PATCH,POST,PUT"
allow_credentials="true"
expose_headers="Content-Length,X-My-Header"
allow_headers="Accept,Authorization,Content-Type,X-Custom-Header,Origin"
max_age="3600"
/>
</configure>
I would expect a allow_origin header in the response of the Plone server now, but i can't find any changes in the response.
Maybe it is only for REST calls and not on every page? Here: https://github.com/plone/plone.rest/blob/7974081a7f247893e0a42fd0a3ac6fe3cfa4c983/README.rst
"CORS policies can be bound to specific interfaces of content objects and to specific browser layers. This allows us to define different policies for different content types or to override existing policies. The following example defines a policy for the site root.
<plone:CORSPolicy
for="Products.CMFPlone.interfaces.IPloneSiteRoot"
layer="myproduct.interfaces.IMyBrowserLayer"
allow_origin="*"
allow_methods="GET"
/>"
can help?
The config works indeed, i have added some more allowed headers, which makes sense like:
The main issue, was that i had a problem in the backend, the CORS message was just missleading.
So make sure that you cache errors correctly and everything works.