Proposal: generate default config with cors.allow_origin = "*"

[masipcat]

The idea is to make easier to start developing with guillotina and a frontend. Right now guillotina returns a 401 (Unauthorized) when origin is not allowed, and because this is returned from a OPTIONS it's not possible to provide a nice message to distinguish the cors error from a authentication error.

I think most frameworks doesn't have CORS enabled by default and probably the CORS would be managed by a reverse proxy when guillotina is deployed in production, so I think making this opt-in would be better.

What do you think?

[masipcat]

This is related to this #1004

Also, maybe we could change the 401 to 403 (Forbidden)

[vangheem]

We had this very long ago but thought it was a bad idea to have default values that were insecure. Maybe the cookie cutter that creates settings makes this setting explicit?

[masipcat]

We had this very long ago but thought it was a bad idea to have default values that were insecure.

oh ok

Maybe the cookie cutter that creates settings makes this setting explicit?

yes, that's the case https://github.com/plone/guillotina/blob/master/guillotina/cookiecutter/application/%7B%7Bcookiecutter.package_name%7D%7D/config.yaml#L23-L25

[vangheem]

Maybe have the default insecure with a logging message warning about it?

[masipcat]

Sounds good to me! I'll open a PR later