Skip to content

Spec suggestion: Add CORS recommendation for SPXP servers #12

Description

@mwiesen

Summary

The SPXP specification currently does not mention CORS (Cross-Origin Resource Sharing) headers. This makes it difficult to build browser-based SPXP clients without a proxy.

Problem

When fetching an SPXP profile from a browser:

fetch('https://spxp.org/spxp')
  .then(r => r.json())
  .then(console.log);

This fails in browsers due to missing CORS headers:

Access to fetch at 'https://spxp.org/spxp' from origin 'https://myapp.com' 
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header 
is present on the requested resource.

Suggestion

Add a SHOULD recommendation to the spec that SPXP servers include CORS headers:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Headers: Content-Type

This would enable:

  • Browser-based SPXP viewers/clients
  • JavaScript-based profile validators
  • Web-based development tools

Rationale

SPXP profiles are public by design (private content is encrypted). Allowing cross-origin access aligns with the protocol's philosophy of openness and client diversity.


Discovered while building a browser-based SPXP profile viewer.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions