Skip to content

Add CORS support for cross-origin API access#350

Merged
jpmccu merged 26 commits intomainfrom
copilot/fix-template-footer-and-query
Feb 4, 2026
Merged

Add CORS support for cross-origin API access#350
jpmccu merged 26 commits intomainfrom
copilot/fix-template-footer-and-query

Conversation

Copy link
Contributor

Copilot AI commented Feb 3, 2026
edited
Loading

Cross-origin headers were missing from all endpoints, blocking external applications from accessing Whyis APIs and data.

Changes

Dependencies

  • Added Flask-CORS>=3.0.10 to setup.py

CORS Configuration (whyis/app.py)

  • Configured Flask-CORS in configure_extensions() to apply to all routes (r"/*")
  • Three configurable parameters with secure defaults:
    • CORS_ORIGINS: "*" (default), single origin, or comma-separated list
    • CORS_SUPPORTS_CREDENTIALS: False (default), validated against wildcard usage
    • CORS_MAX_AGE: 3600 (default), preflight cache duration
  • Automatic validation prevents supports_credentials=True with wildcard origins per CORS spec
  • Proper logging for configuration warnings

Tests (tests/api/test_cors.py)

  • Verify CORS headers on root, SPARQL, and API endpoints
  • Validate preflight OPTIONS requests
  • Assert allowed methods, headers, and max age values

Configuration Examples

Default (all origins, no credentials):

# No config needed

Restricted origins with credentials:

CORS_ORIGINS = "https://example.com, https://app.example.com"
CORS_SUPPORTS_CREDENTIALS = True

Implementation

cors_origins = self.config.get('CORS_ORIGINS', '*')
if cors_origins != '*':
    cors_origins = [origin.strip() for origin in cors_origins.split(',')] if ',' in cors_origins else [cors_origins.strip()]

supports_credentials = self.config.get('CORS_SUPPORTS_CREDENTIALS', False)
if supports_credentials and cors_origins == '*':
    self.logger.warning("CORS: Cannot use credentials with wildcard. Disabling.")
    supports_credentials = False

CORS(self, resources={
    r"/*": {
        "origins": cors_origins,
        "methods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"],
        "allow_headers": ["Content-Type", "Authorization", "Accept"],
        "supports_credentials": supports_credentials,
        "max_age": self.config.get('CORS_MAX_AGE', 3600)
    }
})

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits February 3, 2026 16:20
@jpmccu
Fix footer positioning and query parameter passing in vega-editor
9f04abe 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Move inline style to scoped CSS class for maintainability
016baf4 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix template footer positioning and query endpoint call Fix vega-editor footer overlap and SPARQL query parameter passing Feb 3, 2026
Copilot AI requested a review from jpmccu February 3, 2026 16:25
Copilot AI and others added 12 commits February 3, 2026 17:43
@jpmccu
Fix SPARQL proxy to preserve form data when forwarding to Fuseki
278bea5 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Address code review feedback: improve header handling consistency
2d6a0b2 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Extract hop-by-hop headers list to module constant for maintainability
0e3db50 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Add case-insensitive header filtering helper function
88481e3 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Improve documentation for filter_headers_for_proxying function
1f4e1b4 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Add clarifying comments for request handling and streaming behavior
57474bd 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Clarify comments about request.values access ordering
30ba360 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Add comment explaining why raw_data is used instead of request.values
c974410 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Optimize filter_headers_for_proxying with single-pass dictionary comp…
ad6620d 
…rehension

Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Remove redundant comment about streaming behavior
db90f62 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Optimize with module-level constant and improve comment clarity
9a017d4 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Clarify architectural reason for dual proxying approaches
e44b19f 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
Copilot AI changed the title Fix vega-editor footer overlap and SPARQL query parameter passing Fix vega-editor footer overlap and SPARQL proxy form parameter forwarding Feb 3, 2026
@jpmccu
Remove args configuration from YASQE to fix duplicate query parameter
17b77c5 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
Copilot AI changed the title Fix vega-editor footer overlap and SPARQL proxy form parameter forwarding Remove duplicate query parameter from YASQE configuration Feb 3, 2026
@jpmccu
Fix Vega-Lite URL construction error by removing $schema before valid…
7d0ef71 
…ation

Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Add clarifying comment about shallow copy sufficiency
efdc860 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
Copilot AI changed the title Remove duplicate query parameter from YASQE configuration Fix vega-editor SPARQL integration and rendering pipeline Feb 3, 2026
Copilot AI and others added 7 commits February 3, 2026 19:00
@jpmccu
Add CORS support to enable cross-origin API access
c1392a6 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Fix CORS security issue by disabling credentials with wildcard origins
e38d1b3 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Extract CORS max_age to named constant for better maintainability
c46963d 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Make CORS origins configurable via CORS_ORIGINS setting
40b0169 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Fix CORS origins parsing to handle single origin correctly
ddde851 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Make CORS credentials configurable and enhance test coverage
c005b12 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
@jpmccu
Make CORS max_age configurable and use proper logging
36fa4cd 
Co-authored-by: jpmccu <602385+jpmccu@users.noreply.github.com>
Copilot AI changed the title Fix vega-editor SPARQL integration and rendering pipeline Add CORS support for cross-origin API access Feb 3, 2026
@github-actions
Copy link

github-actions bot commented Feb 4, 2026

✅ Vue.js tests passed! Coverage report available in artifacts.

@jpmccu jpmccu marked this pull request as ready for review February 4, 2026 21:47
@jpmccu jpmccu merged commit c4ee7fc into main Feb 4, 2026
3 of 11 checks passed
@jpmccu jpmccu deleted the copilot/fix-template-footer-and-query branch February 4, 2026 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jpmccu jpmccu jpmccu approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jpmccu jpmccu

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jpmccu