Add CORS headers to redirects?

[ptgolden]

I'm developing a Web application for browsing OBO ontologies, and it would be nice to request OBOGraph JSON files from https://purl.obolibrary.org/obo/*.json. Is adding Cross-Origin Resource Sharing headers something you would consider? I imagine just one (Access-Control-Allow-Origin: *), but possibly also limiting to only GET requests.

Of course, it depends on the location of the redirect also having CORS headers set. https://raw.githubusercontent.com sets them, but https://github.com/ (i.e. ontologies published through releases) does not. That might make this issue moot.

[matentzn]

Hey @ptgolden, thanks for the issue. Since the release mechanism of GitHub does not support it, the support will be very limited (many obo ontologies have grown too large for raw.github).

In the light of this do you think this feature is indeed worth supporting?

[ptgolden]

It would be a minor change in the Apache configuration with no security concerns. In that sense, it would be an easy fix. (I have also long advocated CORS headers in the RDF community).

But practically, if almost all of the OBO ontologies are published via GitHub releases (which does not support CORS), it won't make much of a difference. Happy to close.

[matentzn]

I have no experience / knowledge in this area. I will leave this open for @jamesaoverton when he is back.

@jamesaoverton - feel free to close or implement, whatever you think is best.

[jamesaoverton]

Thanks for the issue. I don't know much about CORS.

This PURL system just returns HTTP 301/302/303 responses, redirecting to other resources. Are CORS headers relevant to HTTP 30X responses? I would expect that only the HTTP 20X responses headers are relevant for CORS, but I really don't know.