Skip to content

HTTP Header: Allow on non-custom domains (or per-project) #8649

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ericholscher opened this issue Nov 3, 2021 · 1 comment
Open

HTTP Header: Allow on non-custom domains (or per-project) #8649

ericholscher opened this issue Nov 3, 2021 · 1 comment
Labels
Accepted Accepted issue on our roadmap Improvement Minor improvement to code

Comments

@ericholscher
Copy link
Member

ericholscher commented Nov 3, 2021
edited
Loading

Currently we have the ability to set a custom HTTP header on custom domains, but we have had users who want to set custom headers on their existing rtd.io domain.

Implementation

Currently we have HttpHeader's that link to a project's Domain:

readthedocs.org/readthedocs/projects/models.py

Lines 1596 to 1600 in 2552bb6

domain = models.ForeignKey(
Domain,
related_name='http_headers',
on_delete=models.CASCADE,
)

We are then adding those headers to the domain here:

readthedocs.org/readthedocs/proxito/middleware.py

Line 179 in 2552bb6

def add_user_headers(self, request, response):

It would make sense to actually have this relation point at the Project as well as the Domain.We could then do a check for project.http_headers in that code.

Complications

I'm guessing the reason that we have pointed this at the Domain is because of subprojects. So every project that is using that same Domain should use those custom headers. I think we want to be able to point it at either the Project or the Domain. This would allow this feature to be used by projects without a custom domain

Use case

The user who pointed this out wanted add a CORS header that allowed CORS from their PR build domain. So, basically Access-Control-Allow-Origin: docs--*.org.readthedocs.build. Unfortunately, I'm not sure if CORS supports wildcards like this. Since the domain will change for each PR build, this might not allow us to set the CORS header manually, and it might need to be something that is specified in Python:

readthedocs.org/readthedocs/core/signals.py

Line 36 in d6f7347

def decide_if_cors(sender, request, **kwargs): # pylint: disable=unused-argument

However, I still think it should be possible to add custom headers to projects without a custom domain, so this issue is worth fixing even if it doesn't work for this particular use case.

/cc @drammock
@ericholscher ericholscher added Accepted Accepted issue on our roadmap Improvement Minor improvement to code labels Nov 3, 2021
@humitos humitos changed the title Allow custom headers on non-custom domains Allow custom headers on non-custom domains (or per-project) Sep 15, 2023
@github-project-automation github-project-automation bot moved this to Planned in 📍Roadmap Sep 15, 2023
@humitos
Copy link
Member

humitos commented Sep 15, 2023

The user who pointed this out wanted add a CORS header that allowed CORS from their PR build domain. So, basically Access-Control-Allow-Origin: docs--*.org.readthedocs.build. Unfortunately, I'm not sure if CORS supports wildcards like this

No, this is not supported by this header. However, this particular use case is implemented in #10737

@humitos humitos mentioned this issue Sep 15, 2023
Closed
@stsewd stsewd changed the title Allow custom headers on non-custom domains (or per-project) HTTP Header: Allow on non-custom domains (or per-project) Sep 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Accepted Accepted issue on our roadmap Improvement Minor improvement to code
Projects
📍Roadmap
Status: Planned
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ericholscher @humitos