Hi Jan,
I'm trying to talk with the webmaster of the resource I'm trying to embed in my calendar. Here is what he is saying :
Our API and static files are designed to be cross-domain usable. We have many applications that use this mechanism without a problem.
The following codes (jQuery and window.fetch) allow to retrieve the ICS file as you wish, from any page, as you can check here :
>
https://jsfiddle.net/wzm287nj/.
Can you please tell what is the difference of the jsfiddle requests, and the one that are blocked in the infcloud configuration?
Thanks,
Ploc
Le 19/09/2020 à 23:35, Ján Máté a écrit :
Hi Ploc,
the:
X-Requested-With: XMLHttpRequest
indicates that the request is a JavaScript request. The server must allow this header in the Access-Control-Allow-Headers header...
And the authorization header ... maybe there is a bug in the jQuery Ajax request in the source code, there should be something like:
if(inputResource.userAuth.userName!='' &&
inputResource.userAuth.userPassword!='')
... send the header ...
But first you must solve the X-Requested-With header problem ...
JM
On 19 Sep 2020, at 23:18, Ploc <pub2021@acampado.net <mailto:pub2021@acampado.net>> wrote:
Thanks Jan for your answer, I should have read carefully the comment in the config file.
I checked the resource and the server and it appears that the headers are ok to serve resources as CORS :
curl -I
https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics <https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics>
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 19 Sep 2020 09:42:49 GMT
Content-Type: application/octet-stream
Content-Length: 9085
Last-Modified: Mon, 07 Sep 2020 13:33:36 GMT
ETag: "5f5636b0-237d"
Expires: Mon, 19 Oct 2020 09:42:49 GMT
Cache-Control: max-age=2592000
Content-Disposition: attachment
Pragma: public
Cache-Control: public
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Headers: Origin,Authorization,Accept,DNT,User-Agent,If-Modified-Since,Cache-Control,Content-Type,Range
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes
As you can see, all origins are available :
Access-Control-Allow-Origin: *
My problem is that InfCloud is hosted on a server where CSP (Content Security Policy) is enabled. I have another error where the remote ics resource is not fetched because the preflight request fails :
Blocage d’une requête multiorigines (Cross-Origin Request) : la
politique « Same Origin » ne permet pas de consulter la ressource distante située sur https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics?_=1600508468800. Raison : l’en-tête « x-requested-with » n’est pas autorisé d’après l’en-tête « Access-Control-Allow-Headers » de la réponse de pré-vérification des requêtes CORS.
In other words, there cannot be the x-requested-with header along with the Access-Control-Allow-Headers header.
As far as I understand, this is due to the response of the OPTION request and answer to static.data.gouv.fr which does not contain the correct header:
request:
> Access-Control-Request-Headers: authorization,x-requested-with
response:
> Access-Control-Allow-Headers: Origin,Authorization,Accept,DNT,User-Agent,If-Modified-Since,Cache-Control,Content-Type,Range
I don't understand why is there this authorization header as I'm not using any credential to retrieve this static public resource:
var globalSubscribedCalendars={
hrefLabel: 'Subscribed',
calendars: [
{
href: 'https://static.data.gouv.fr/resources/le-cal endrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics',
userAuth: {
userName: '',
userPassword: ''
},
typeList: ['vevent'],
ignoreAlarm: true,
displayName: 'vacances scolaires',
color: '#ff0000'
}
]
};
I can't find any way to fix this issue.
Do you have any idea about that?
Thanks,
Ploc
Le 19/09/2020 à 11:25, Ján Máté a écrit :
Hi Ploc,
yes of course, from the config.js:
// globalSubscribedCalendars
// This option specifies a list of remote URLs to ics files (e.g.: used
// for distributing holidays information). Subscribed calendars are
// ALWAYS read-only. *Remote servers where ics files are hosted MUST*
// *return proper CORS headers (see readme.txt) otherwise this
functionality*
// *will not work!*
The main problem is related to CORS, because all JavaScript (XHR) requests are subject of CORS limitations in modern browsers :-/
JM
On 19 Sep 2020, at 00:37, Ploc <pub2021@acampado.net <mailto:pub2021@acampado.net>> wrote:
Is there a way to add an additional external ics resource in infcloud config file?
I'm thinking about a static ics read-only calendar, such as holidays calendar:
https://www.data.gouv.fr/fr/datasets/le-calendrier-scolaire-format-ical/#resource-f3071c91-bd33-43e9-9fd5-3d6e3bfe7499 (french school holidays calendar)
Thanks for your answer.