Hi Ploc,

the:
X-Requested-With: XMLHttpRequest

indicates that the request is a JavaScript request. The server must allow this header in the Access-Control-Allow-Headers header...

And the authorization header ... maybe there is a bug in the jQuery Ajax request in the source code, there should be something like:

if(inputResource.userAuth.userName!='' && inputResource.userAuth.userPassword!='')
... send the header ...

But first you must solve the X-Requested-With header problem ...


JM

On 19 Sep 2020, at 23:18, Ploc <pub2020@acampado.net> wrote:

Thanks Jan for your answer, I should have read carefully the comment in the config file.

I checked the resource and the server and it appears that the headers are ok to serve resources as CORS :

curl -I
https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 19 Sep 2020 09:42:49 GMT
Content-Type: application/octet-stream
Content-Length: 9085
Last-Modified: Mon, 07 Sep 2020 13:33:36 GMT
ETag: "5f5636b0-237d"
Expires: Mon, 19 Oct 2020 09:42:49 GMT
Cache-Control: max-age=2592000
Content-Disposition: attachment
Pragma: public
Cache-Control: public
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Headers: Origin,Authorization,Accept,DNT,User-Agent,If-Modified-Since,Cache-Control,Content-Type,Range
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes

As you can see, all origins are available :

Access-Control-Allow-Origin: *

My problem is that InfCloud is hosted on a server where CSP (Content Security Policy) is enabled. I have another error where the remote ics resource is not fetched because the preflight request fails :

Blocage d’une requête multiorigines (Cross-Origin Request) : la
politique « Same Origin » ne permet pas de consulter la ressource distante située sur https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics?_=1600508468800. Raison : l’en-tête « x-requested-with » n’est pas autorisé d’après l’en-tête « Access-Control-Allow-Headers » de la réponse de pré-vérification des requêtes CORS.

In other words, there cannot be the x-requested-with header along with the Access-Control-Allow-Headers header.

As far as I understand, this is due to the response of the OPTION request and answer to static.data.gouv.fr which does not contain the correct header:

request:

> Access-Control-Request-Headers: authorization,x-requested-with

response:

> Access-Control-Allow-Headers: Origin,Authorization,Accept,DNT,User-Agent,If-Modified-Since,Cache-Control,Content-Type,Range

I don't understand why is there this authorization header as I'm not using any credential to retrieve this static public resource:

var globalSubscribedCalendars={
       hrefLabel: 'Subscribed',
       calendars: [
               {
                       href: 'https://static.data.gouv.fr/resources/le-cal endrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics',
                       userAuth: {
                               userName: '',
                               userPassword: ''
                       },
                       typeList: ['vevent'],
                       ignoreAlarm: true,
                       displayName: 'vacances scolaires',
                       color: '#ff0000'
               }
       ]
};

I can't find any way to fix this issue.

Do you have any idea about that?

Thanks,

Ploc


Le 19/09/2020 à 11:25, Ján Máté a écrit :
Hi Ploc,
yes of course, from the config.js:
   // globalSubscribedCalendars
   // This option specifies a list of remote URLs to ics files (e.g.: used
   // for distributing holidays information). Subscribed calendars are
   // ALWAYS read-only. *Remote servers where ics files are hosted MUST*
   // *return proper CORS headers (see readme.txt) otherwise this
   functionality*
   // *will not work!*
The main problem is related to CORS, because all JavaScript (XHR) requests are subject of CORS limitations in modern browsers :-/
JM
On 19 Sep 2020, at 00:37, Ploc <pub2020@acampado.net <mailto:pub2020@acampado.net>> wrote:

Is there a way to add an additional external ics resource in infcloud config file?

I'm thinking about a static ics read-only calendar, such as holidays calendar:

https://www.data.gouv.fr/fr/datasets/le-calendrier-scolaire-format-ical/#resource-f3071c91-bd33-43e9-9fd5-3d6e3bfe7499 (french school holidays calendar)

Thanks for your answer.