Access-Control-Allow-Origin headers need to be set to allow external origins
The current middleware at https://gitlab.com/iota-foundation/software/powbox/powbox-server/blob/master/src/server/index.js#L60 only allows same-origin requests.
Non-opaque requests from external origins are not allowed.
Opaque requests (with fetch
set to mode: "no-cors"
) can't be used because their response body is not accessible for JavaScript (only services like ServiceWorkers are allowed to handle these).
To fix the powbox hosted at https://powbox.testnet.iota.org/ it would make probably sense to prepend the middleware here with:
res.append('Access-Control-Allow-Origin', ['*']);
res.append('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.append('Access-Control-Allow-Headers', 'Content-Type');
(This allows obviously every origin. People hosting their own powbox most likely DO NOT want to have it set like this, see below)
To fix a self hosted powbox either host it on the same domain that the consuming javascript is served from or change the Access-Control-Allow-Origin
header value to the domain that you want to whitelist e.g. :
res.append('Access-Control-Allow-Origin', ['domainWhereMyClientJSLives.com']);
res.append('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.append('Access-Control-Allow-Headers', 'Content-Type');