issue_comments

Table actions

6 rows where issue = 764059235 sorted by updated_at descending

View and edit SQL

This data as json, CSV (advanced)

Suggested facets: reactions, created_at (date), updated_at (date)

user 2

author_association 2

issue 1

  • More flexible CORS support in core, to encourage good security practices · 6
id html_url issue_url node_id user created_at updated_at ▲ author_association body reactions issue performed_via_github_app
1038289584 https://github.com/simonw/datasette/issues/1143#issuecomment-1038289584 https://api.github.com/repos/simonw/datasette/issues/1143 IC_kwDOBm6k_c494wqw simonw 9599 2022-02-13T17:40:50Z 2022-02-13T17:41:17Z OWNER

The way Drupal does this is interesting; https://www.drupal.org/node/2715637 - it supports the following YAML: yaml # Configure Cross-Site HTTP requests (CORS). # Read https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS # for more information about the topic in general. # Note: By default the configuration is disabled. cors.config: enabled: false # Specify allowed headers, like 'x-allowed-header'. allowedHeaders: [] # Specify allowed request methods, specify ['*'] to allow all possible ones. allowedMethods: [] # Configure requests allowed from specific origins. allowedOrigins: ['*'] # Sets the Access-Control-Expose-Headers header. exposedHeaders: false # Sets the Access-Control-Max-Age header. maxAge: false # Sets the Access-Control-Allow-Credentials header. supportsCredentials: false

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 More flexible CORS support in core, to encourage good security practices 764059235  
746827083 https://github.com/simonw/datasette/issues/1143#issuecomment-746827083 https://api.github.com/repos/simonw/datasette/issues/1143 MDEyOklzc3VlQ29tbWVudDc0NjgyNzA4Mw== simonw 9599 2020-12-16T18:56:07Z 2020-12-16T18:56:07Z OWNER

I think the right way to do this is to support multiple optional --cors-origin= pattern values, like you suggested.

 
{
    "total_count": 2,
    "+1": 1,
    "-1": 0,
    "laugh": 0,
    "hooray": 1,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 More flexible CORS support in core, to encourage good security practices 764059235  
744618787 https://github.com/simonw/datasette/issues/1143#issuecomment-744618787 https://api.github.com/repos/simonw/datasette/issues/1143 MDEyOklzc3VlQ29tbWVudDc0NDYxODc4Nw== yurivish 114388 2020-12-14T18:15:00Z 2020-12-15T02:21:53Z NONE

From a quick look at the README, it does seem to do everything I need, thanks!

I think the argument for inclusion in core is to lower the chances of unwanted data access. A local server can be accessed by anybody who can make an HTTP request to your computer regardless of CORS rules, but the default * rule additionally opens up access to the local instance to any website you visit while it is running.

That's probably not what people typically intend, particularly when the data is of a sensitive nature. A default of requiring the user to specify the origin (allowing * but encouraging a narrower scope) would solve this problem entirely, I think.

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 More flexible CORS support in core, to encourage good security practices 764059235  
744757558 https://github.com/simonw/datasette/issues/1143#issuecomment-744757558 https://api.github.com/repos/simonw/datasette/issues/1143 MDEyOklzc3VlQ29tbWVudDc0NDc1NzU1OA== simonw 9599 2020-12-14T22:42:10Z 2020-12-14T22:42:10Z OWNER

This may involve a breaking change to the CLI settings interface, so I'm adding this to the 1.0 milestone.

 
{
    "total_count": 1,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 1,
    "rocket": 0,
    "eyes": 0
}
 More flexible CORS support in core, to encourage good security practices 764059235  
744756861 https://github.com/simonw/datasette/issues/1143#issuecomment-744756861 https://api.github.com/repos/simonw/datasette/issues/1143 MDEyOklzc3VlQ29tbWVudDc0NDc1Njg2MQ== simonw 9599 2020-12-14T22:40:28Z 2020-12-14T22:40:28Z OWNER

That's a very convincing argument. I'm keen on making sure Datasette is "secure by default" so you're right, encouraging finely grains CORS rules in core rather than leaving that to a plugin sounds like the right call.

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 More flexible CORS support in core, to encourage good security practices 764059235  
744249157 https://github.com/simonw/datasette/issues/1143#issuecomment-744249157 https://api.github.com/repos/simonw/datasette/issues/1143 MDEyOklzc3VlQ29tbWVudDc0NDI0OTE1Nw== simonw 9599 2020-12-14T07:53:15Z 2020-12-14T07:53:15Z OWNER

Does this plugin do everything you need? https://github.com/simonw/datasette-cors

I'm open to arguments as to why this should be in core rather than in a plugin - I'm on the fence about that at the moment.

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 More flexible CORS support in core, to encourage good security practices 764059235  

Advanced export

JSON shape: default, array, newline-delimited, object

CSV options: 

CREATE TABLE [issue_comments] (
   [html_url] TEXT,
   [issue_url] TEXT,
   [id] INTEGER PRIMARY KEY,
   [node_id] TEXT,
   [user] INTEGER REFERENCES [users]([id]),
   [created_at] TEXT,
   [updated_at] TEXT,
   [author_association] TEXT,
   [body] TEXT,
   [reactions] TEXT,
   [issue] INTEGER REFERENCES [issues]([id])
, [performed_via_github_app] TEXT);
CREATE INDEX [idx_issue_comments_issue]
                ON [issue_comments] ([issue]);
CREATE INDEX [idx_issue_comments_user]
                ON [issue_comments] ([user]);