[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Inf-IT DAVcl] additional external ics resource in infcloud config file


Hi Jan,

I'm trying to talk with the webmaster of the resource I'm trying to embed in my calendar. Here is what he is saying :

Our API and static files are designed to be cross-domain usable. We have many applications that use this mechanism without a problem.

The following codes (jQuery and window.fetch) allow to retrieve the ICS file as you wish, from any page, as you can check here :

> https://jsfiddle.net/wzm287nj/.

Can you please tell what is the difference of the jsfiddle requests, and the one that are blocked in the infcloud configuration?

Thanks,

Ploc


Le 19/09/2020 à 23:35, Ján Máté a écrit :
Hi Ploc,

the:

    X-Requested-With: XMLHttpRequest


indicates that the request is a JavaScript request. The server must allow this header in the Access-Control-Allow-Headers header...

And the authorization header ... maybe there is a bug in the jQuery Ajax request in the source code, there should be something like:


    if(inputResource.userAuth.userName!='' &&
    inputResource.userAuth.userPassword!='')
    ... send the header ...


But first you must solve the X-Requested-With header problem ...


JM

On 19 Sep 2020, at 23:18, Ploc <pub2021@xxxxxxxxxxxx <mailto:pub2021@xxxxxxxxxxxx>> wrote:

Thanks Jan for your answer, I should have read carefully the comment in the config file.

I checked the resource and the server and it appears that the headers are ok to serve resources as CORS :

curl -I
https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics <https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics>
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 19 Sep 2020 09:42:49 GMT
Content-Type: application/octet-stream
Content-Length: 9085
Last-Modified: Mon, 07 Sep 2020 13:33:36 GMT
ETag: "5f5636b0-237d"
Expires: Mon, 19 Oct 2020 09:42:49 GMT
Cache-Control: max-age=2592000
Content-Disposition: attachment
Pragma: public
Cache-Control: public
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Headers: Origin,Authorization,Accept,DNT,User-Agent,If-Modified-Since,Cache-Control,Content-Type,Range
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes

As you can see, all origins are available :

Access-Control-Allow-Origin: *

My problem is that InfCloud is hosted on a server where CSP (Content Security Policy) is enabled. I have another error where the remote ics resource is not fetched because the preflight request fails :

Blocage d’une requête multiorigines (Cross-Origin Request) : la
politique « Same Origin » ne permet pas de consulter la ressource distante située sur https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics?_=1600508468800. Raison : l’en-tête « x-requested-with » n’est pas autorisé d’après l’en-tête « Access-Control-Allow-Headers » de la réponse de pré-vérification des requêtes CORS.

In other words, there cannot be the x-requested-with header along with the Access-Control-Allow-Headers header.

As far as I understand, this is due to the response of the OPTION request and answer to static.data.gouv.fr which does not contain the correct header:

request:

> Access-Control-Request-Headers: authorization,x-requested-with

response:

> Access-Control-Allow-Headers: Origin,Authorization,Accept,DNT,User-Agent,If-Modified-Since,Cache-Control,Content-Type,Range

I don't understand why is there this authorization header as I'm not using any credential to retrieve this static public resource:

var globalSubscribedCalendars={
       hrefLabel: 'Subscribed',
       calendars: [
               {
                       href: 'https://static.data.gouv.fr/resources/le-cal endrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics',
                       userAuth: {
                               userName: '',
                               userPassword: ''
                       },
                       typeList: ['vevent'],
                       ignoreAlarm: true,
                       displayName: 'vacances scolaires',
                       color: '#ff0000'
               }
       ]
};

I can't find any way to fix this issue.

Do you have any idea about that?

Thanks,

Ploc


Le 19/09/2020 à 11:25, Ján Máté a écrit :
Hi Ploc,
yes of course, from the config.js:
   // globalSubscribedCalendars
   // This option specifies a list of remote URLs to ics files (e.g.: used
   // for distributing holidays information). Subscribed calendars are
   // ALWAYS read-only. *Remote servers where ics files are hosted MUST*
   // *return proper CORS headers (see readme.txt) otherwise this
   functionality*
   // *will not work!*
The main problem is related to CORS, because all JavaScript (XHR) requests are subject of CORS limitations in modern browsers :-/
JM
On 19 Sep 2020, at 00:37, Ploc <pub2021@xxxxxxxxxxxx <mailto:pub2021@xxxxxxxxxxxx>> wrote:

Is there a way to add an additional external ics resource in infcloud config file?

I'm thinking about a static ics read-only calendar, such as holidays calendar:

https://www.data.gouv.fr/fr/datasets/le-calendrier-scolaire-format-ical/#resource-f3071c91-bd33-43e9-9fd5-3d6e3bfe7499 (french school holidays calendar)

Thanks for your answer.