Hi Jan,
I'm trying to talk with the webmaster of the resource I'm trying to embed in my calendar. Here is what he is saying :
Our API and static files are designed to be cross-domain usable. We have many applications that use this mechanism without a problem.
The following codes (jQuery and window.fetch) allow to retrieve the ICS file as you wish, from any page, as you can check here :
Can you please tell what is the difference of the jsfiddle requests, and the one that are blocked in the infcloud configuration?
Thanks,
Ploc
Le 19/09/2020 à 23:35, Ján Máté a écrit :
Hi Ploc,
the:
X-Requested-With: XMLHttpRequest
indicates that the request is a JavaScript request. The server must allow this header in the Access-Control-Allow-Headers header...
And the authorization header ... maybe there is a bug in the jQuery Ajax request in the source code, there should be something like:
if(inputResource.userAuth.userName!='' && inputResource.userAuth.userPassword!='') ... send the header ...
But first you must solve the X-Requested-With header problem ...
JM
On 19 Sep 2020, at 23:18, Ploc <pub2021@acampado.net mailto:pub2021@acampado.net> wrote:
Thanks Jan for your answer, I should have read carefully the comment in the config file.
I checked the resource and the server and it appears that the headers are ok to serve resources as CORS :
curl -I
https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/202... https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics HTTP/1.1 200 OK Server: nginx Date: Sat, 19 Sep 2020 09:42:49 GMT Content-Type: application/octet-stream Content-Length: 9085 Last-Modified: Mon, 07 Sep 2020 13:33:36 GMT ETag: "5f5636b0-237d" Expires: Mon, 19 Oct 2020 09:42:49 GMT Cache-Control: max-age=2592000 Content-Disposition: attachment Pragma: public Cache-Control: public X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, OPTIONS Access-Control-Allow-Headers: Origin,Authorization,Accept,DNT,User-Agent,If-Modified-Since,Cache-Control,Content-Type,Range Access-Control-Allow-Credentials: true Accept-Ranges: bytes
As you can see, all origins are available :
Access-Control-Allow-Origin: *
My problem is that InfCloud is hosted on a server where CSP (Content Security Policy) is enabled. I have another error where the remote ics resource is not fetched because the preflight request fails :
Blocage d’une requête multiorigines (Cross-Origin Request) : la
politique « Same Origin » ne permet pas de consulter la ressource distante située sur https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/202.... Raison : l’en-tête « x-requested-with » n’est pas autorisé d’après l’en-tête « Access-Control-Allow-Headers » de la réponse de pré-vérification des requêtes CORS.
In other words, there cannot be the x-requested-with header along with the Access-Control-Allow-Headers header.
As far as I understand, this is due to the response of the OPTION request and answer to static.data.gouv.fr which does not contain the correct header:
request:
Access-Control-Request-Headers: authorization,x-requested-with
response:
Access-Control-Allow-Headers:
Origin,Authorization,Accept,DNT,User-Agent,If-Modified-Since,Cache-Control,Content-Type,Range
I don't understand why is there this authorization header as I'm not using any credential to retrieve this static public resource:
var globalSubscribedCalendars={ hrefLabel: 'Subscribed', calendars: [ { href: 'https://static.data.gouv.fr/resources/le-cal endrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics', userAuth: { userName: '', userPassword: '' }, typeList: ['vevent'], ignoreAlarm: true, displayName: 'vacances scolaires', color: '#ff0000' } ] };
I can't find any way to fix this issue.
Do you have any idea about that?
Thanks,
Ploc
Le 19/09/2020 à 11:25, Ján Máté a écrit :
Hi Ploc, yes of course, from the config.js: // globalSubscribedCalendars // This option specifies a list of remote URLs to ics files (e.g.: used // for distributing holidays information). Subscribed calendars are // ALWAYS read-only. *Remote servers where ics files are hosted MUST* // *return proper CORS headers (see readme.txt) otherwise this functionality* // *will not work!* The main problem is related to CORS, because all JavaScript (XHR) requests are subject of CORS limitations in modern browsers :-/ JM
On 19 Sep 2020, at 00:37, Ploc <pub2021@acampado.net mailto:pub2021@acampado.net> wrote:
Is there a way to add an additional external ics resource in infcloud config file?
I'm thinking about a static ics read-only calendar, such as holidays calendar:
https://www.data.gouv.fr/fr/datasets/le-calendrier-scolaire-format-ical/#res... (french school holidays calendar)
Thanks for your answer.