Skip to content

Add CORS headers to dream server to ease integration with third-party web interfaces #363

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lstein merged 4 commits into from
Sep 4, 2022
Merged

Add CORS headers to dream server to ease integration with third-party web interfaces #363

lstein merged 4 commits into from
Sep 4, 2022

Conversation

@SebastianAigner
Copy link
Contributor

@SebastianAigner SebastianAigner commented Sep 4, 2022

I am tinkering on a project that explores some additional functionality for the web interface such as prompt queueing. Projects like these (where dev servers and deployed versions run on a different host or port than the stable-diff embedded web server) are currently suffering from failing preflight requests and additional CORS errors, since the server does not provide appropriate header responses.

This PR adds the Access-Control-Allow-Origin and Access-Control-Allow-Headers CORS headers to the appropriate responses, as well as adds the OPTION HTTP method for preflight requests.

greentext2 and others added 3 commits September 3, 2022 14:41
@greentext2 @lstein
Update README.md with new Anaconda install steps (invoke-ai#347)
c22c3de 
pip3 version did not work for me and this is the recommended way to install Anaconda now it seems
@bakkot
fix img2img variations/MPS (invoke-ai#353)
751283a 
* fix img2img variations

* fix assert for variation_amount
@SebastianAigner
Add CORS headers to dream server to ease integration with third-party…
91e826e 
… web interfaces
@lstein lstein changed the base branch from main to development September 4, 2022 12:15
lstein
lstein approved these changes Sep 4, 2022
View reviewed changes
Copy link
Collaborator

@lstein lstein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and works as advertised. Thank you.

@lstein lstein merged commit 3a2be62 into invoke-ai:development Sep 4, 2022
@bakkot
Copy link
Contributor

bakkot commented Sep 4, 2022

I really don't think this should be on by default. This means that any website you visit can talk to the web UI, including submitting requests. That's certainly not something I'd expect to happen without opting in, and it's also something we'd almost certainly for which we'd want to have much stricter auditing of the security of the code before enabling at all (imagine if this went in before #133).

The cross-origin restrictions are a security feature and there's good reason they're on by default.

@nderscore
Copy link
Contributor

nderscore commented Sep 4, 2022
edited
Loading

I think this would be better as a CLI argument --cors which lets you configure the value of the Access-Control-Allow-Origin header explicitly

@bakkot bakkot mentioned this pull request Sep 4, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lstein lstein lstein approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@SebastianAigner @bakkot @nderscore @lstein @greentext2