I have a page that attampts to load https://blog.cloudflare.com located at https://chickar.ee/blog.cloudflare.com (source) the XHR request fails because of the lack of Access-Control-Allow-Origin header.
The request then falls back to a proxy (source), but that request also fails (I’ll have to debug why it thinks it’s a circular redirect).
To avoid hitting the proxy at all, I would really apprecaite it if you could add
Access-Control-Allow-Origin: * to all of the pages on https://blog.cloudflare.com. Adding this header is completely safe since the the site is public anyways.
So you’re saying that you want to serve Cloudflare content from your domain, and you’d like them to open up access to let you do this?
Yes. It just serves the metadata. Here’s an example: https://chickar.ee/www.nytimes.com
In this example, they don’t add the proper headers, but the proxy retrieves it.
Here’s an example where the headers are properly set:
The CORS isn’t a DRM feature
Does the current CORS header block an a href link? That seems… odd.
CORS doesn’t block anything, the same-origin policy does. Anchor tags (or anything else you can do in HTML for that matter) are not subject to the policy. XMLHttpRequests (XHR) are subject to the policy.
It prevents random web pages from reading your intranet site (like a corporate webpage behind a firewall, or your router’s configuration page). Since the Cloudflare blog is neither of those things, and is publically accessible, it’s more then fine to allow it to be read by other sites who wish to do so.
Wait how does any of those settings prevent you from adding a hyperlink to Cloudflare’s blog? Doesn’t seem like they do. Instead it prevents website A from artificially increasing its traffic by something something website B. Since website B seems to have done the work of creating content worth linking to is website A paying them to link or is this another… Napster-esque content wants to be free argument?
Is this a setting Cloudflare’s enforcing restrictions on its customers? Or the security settings Cloudflare has selected for their own domains and content?
I’m not trying to add a hyperlink, I’m trying to retrieve the metadata with XHR.
Metadata is not subject to copyright protection. I would assume that a marketing blog would want more traffic directed towards it’s blog (since reposting all of the content would be subject to copyright protection).
Again, the setting doesn’t enfoce restrisctions, it is restricted for every website by default, I’m asking to change the setting from something other than the default.
Lastly, it’s simple to get around this with a proxy, as you can see in this example:
(though I’m not sure why the proxy isn’t working for the cloudflare blog… maybe because they are both on a worker?)
I fixed the problem I had with the proxy so at least now it loads:
and the RSS feed:
But would be nice if it didn’t have to hit the proxy at all (which is what I’m requesting here).