From 57b86d2482509bad04067e646b130c41f9433923 Mon Sep 17 00:00:00 2001 From: "David A. Harding" Date: Sat, 7 May 2022 08:31:02 -1000 Subject: [PATCH] NIP05: warn about CORS policies that may inhibit JS apps JS Nostr apps such as Branle may not be able to load `nostr.json` files due to CORS policies. Update NIP05 to warn about this and provide hints for troubleshooting and fixing the issue. --- 05.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/05.md b/05.md index a006ac1..3267960 100644 --- a/05.md +++ b/05.md @@ -50,3 +50,16 @@ Clients may treat the identifier `_@domain` as the "root" identifier, and choose ### Reasoning for the `/.well-known/nostr.json?name=` format By adding the `` as a query string instead of as part of the path the protocol can support both dynamic servers that can generate JSON on-demand and static servers with a JSON file in it that may contain multiple names. + +### Allowing access from Javascript apps + +Javascript Nostr apps may be restricted by browser [CORS][] policies that prevent them from accesing `nostr.json` on the user's domain. When CORS prevents JS from loading a resource, the JS program sees it as a network failure identical to the resource not existing, so it is not possible for a pure-JS app to tell the user for certain that the failure was caused by a CORS issue. JS Nostr apps that see network failures requesting `nostr.json` files may want to recommend to users that they check the CORS policy of their servers, e.g.: + +```bash +$ curl -sI https://example.com/.well-known/nostr.json?name=bob | grep ^Access-Control +Access-Control-Allow-Origin: * +``` + +Users should ensure that their `nostr.json` is served with the HTTP header `Access-Control-Allow-Origin: *` to ensure it can be validated by pure JS apps running in modern browsers. + +[CORS]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS