CORS policy

[znikasz]

Thank you for making https://rest.variantvalidator.org/ public. Would it be possible to set Cross-Origin Resource Sharing so that VV Rest is consumable by other websites?

Thanks

[Peter-J-Freeman]

Hi @znikasz

sorry for the very late response. I didn't see this.

Let's discuss in more detail. Happy to consider all requests

[znikasz]

Hi,

thank you for the response.

We have simple website in our lab that we use for describing a variant. It uses REST for gathering data from several places, we would like to include VariantValidator. The query is done by the browser, it looks like:

curl 'https://rest.variantvalidator.org/VariantValidator/variantvalidator/GRCh38/chr6%3A160585140%3AT%3AG/all?content-type=application/json' \
  -H 'Connection: keep-alive' \
  -H 'Accept: application/json, text/plain, */*' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36' \
  -H 'Origin: http://localhost:4201' \
  -H 'Sec-Fetch-Site: cross-site' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Referer: http://localhost:4201/variant?q=6:160585140-T%3EG'

However, web browsers cannot consume the answer due to the CORS restrictions. It is well described here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin . The solution would be to attach a header Access-Control-Allow-Origin: * in the response.

Response for:

curl 'https://rest.variantvalidator.org/VariantValidator/variantvalidator/GRCh38/chr6%3A160585140%3AT%3AG/all?content-type=application/json' \
  -I \
  -H 'Connection: keep-alive' \
  -H 'Accept: application/json, text/plain, */*' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36' \
  -H 'Origin: http://localhost:4201' \
  -H 'Sec-Fetch-Site: cross-site' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Referer: http://localhost:4201/variant?q=6:160585140-T%3EG'

should then be:

HTTP/1.1 200 OK
Date: Fri, 17 Apr 2020 08:11:46 GMT
Server: Apache
Content-Length: 1635
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Access-Control-Allow-Origin: *
Content-Type: application/json

I have no experience in Python, so I don't know how to implement this, unfortunately. However, you can for sure add such header in Apache or any other reverse proxy, if you use one.

[leicray]

Can this be fixed?

The BOOSTB4 project needs to use the API to validate patient variant submissions to their database. At present, calls to the API form their system are returning errors such as:

‘Access to XMLHttpRequest at 'https://rest.variantvalidator.org/VariantValidator/variantvalidator/GRCh37/NM_000088.3:c.589G%3ET/all?content-type=application%2Fjson' from origin 'https://www.medscinet.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.’

[Peter-J-Freeman]

This is a question for IT services not here. Its an IT issue who is on blocked policies.

Tell the BOOSTB4 team, however, to use the dev version on https://www35.lamp.le.ac.uk/ because it is where the most up-to-date versions are found.

Let me know if that works

[leicray]

I will raise the issue with IT Services. Which LAMP is hosting https://rest.variantvalidator.org/ ?

I'll get back to you on whether the dev version works for the BOOSTB4 team.

[Peter-J-Freeman]

https://www188.lamp.le.ac.uk/

[Peter-J-Freeman]

BOSTB4 are better using dev for now to avoid issues in the furure