Syntax of headers for imports?


(Vanessa McHale) #1

Does the new CORS compliance check rely exclusively on server-side stuff to set the headers? Or is it possible to include them in the Dhall file?

I’m a bit confused here so: the problem I am trying to solve is using Dhall expressions hosted on Hackage with those hosted on github.


(Gabriel Gonzalez) #2

@vmchale: CORS has to be supported server-side, meaning that the server itself has to opt in to being accessed from other servers. The reason why is to protect against Server Side Request Forgery. The pull request adding CORS support contains a minimal exploit motivating this: