CORS configuration

[gramakri]

(I am the maintainer of the Cloudron Listmonk package)

There is a bunch of issues around CORS - #882 , #1523 , #1896, #1521 and even a closed PR #2000

First, I would like to start with saying that CORS is a feature of the app and the rules have to be defined by the app . It's not safe to have end users blindly set CORS rules without knowing the auth model of the app. Even in the thread at #1523, Access-Control-Allow-Credentials true, allows a 3rd party website to make authenticated requests to Listmonk. If it's embedded in some site like WP or CMS which are very "plugin" based, maybe Listmonk admin calls can be made with the cookies in the browser. All this depends on whether Listmonk uses cookies for auth in the first place. A user has no idea which API calls are meant to public (CORS) and which are meant to be "admin" (non-CORS). This is why CORS rules should really be defined by the app since it's URL/route level.

Now, where to put these CORS rules is a separate issue. Maybe Listmonk wants to provide settings UI to configure this (ideal). But it's also totally fine if we can have the nginx/apache headers listed in the docs and have the users paste exactly those rules in their reverse proxy. But the main point is the rules have to come from the app .

cc @knadh

[knadh]

But it's also totally fine if we can have the nginx/apache headers listed in the docs and have the users paste exactly those rules in their reverse proxy.

Yep. This can be added to the docs.