Commits

Geoffrey Irving  committed f6e4e88

Give the webserver an open CORS policy

This allows Javascript code from arbitrary websites to access the
keyserver, including posting new keys.

  • Participants
  • Parent commits 496fa83

Comments (0)

Files changed (2)

   - Upgraded to cryptlib-1.7, Added the SHA-3 algorithm, Keccek
   - Option max_matches was setting max_internal_matches. Fixed (BB issue #4)
   - op=hget now supports option=mr for completeness (BB issue #17)
+  - Add CORS header to web server responses. Allows JavaScript code to
+    interact with keyservers, for example the OpenPGP.js project.
 
 1.1.4
   - Fix X-HKP-Results-Count so that limit=0 returns no results, but include
   in
   sprintf "(%s %s)" kind request
 
-(* Result codes and descriptions from                                     *)
-(* https://support.google.com/webmasters/bin/answer.py?hl=en&answer=40132 *)
+(* Result codes and descriptions from                                               *)
+(* https://support.google.com/webmasters/bin/answer.py?hl=en&answer=40132           *)
+(* send_result exposes a completely open CORS policy, so use only with public data. *)
 
 let send_result cout ?(error_code = 200) ?(content_type = "text/html; charset=UTF-8") ?(count = -1) body =
   let text_status =
   if content_type = "application/pgp-keys; charset=UTF-8" then
     fprintf cout "Content-disposition: attachment; filename=gpgkey.asc\r\n";
   (*
+   * Allow access from Javascript code on other sites.
+   * For details, see https://en.wikipedia.org/wiki/Cross-origin_resource_sharing.
+   * This is safe since all information on keyservers is public.
+   *)
+  fprintf cout "Access-Control-Allow-Origin: *\r\n";
+  (*
    * End Headers here with a final newline
    *)
   fprintf cout "\r\n";