Datasette plugin for configuring CORS headers, based on asgi-cors.
You can use this plugin to allow JavaScript running on an allowlisted set of domains to make fetch() calls to the JSON API provided by your Datasette instance.
datasette install datasette-corsYou need to add some plugin configuration for this plugin to take effect.
To allowlist specific domains, use this:
{
"plugins": {
"datasette-cors": {
"hosts": ["https://www.example.com"]
}
}
}This affects the access-control-allow-origin header.
You can also allowlist host patterns like this:
{
"plugins": {
"datasette-cors": {
"host_wildcards": ["https://*.example.com"]
}
}
}To allow all origins, use:
{
"plugins": {
"datasette-cors": {
"allow_all": true
}
}
}This sets the access-control-allow-origin header to *.
You can specify allowed headers - with the access-control-allow-headers header - using the headers option:
{
"plugins": {
"datasette-cors": {
"allow_all": true,
"headers": ["Authorization", "Content-Type"]
}
}
}To allow specific HTTP methods with the access-control-allow-methods header, use the methods option:
{
"plugins": {
"datasette-cors": {
"allow_all": true,
"methods": ["GET", "POST", "OPTIONS"]
}
}
}You can set the access-control-max-age header using the max_age option:
{
"plugins": {
"datasette-cors": {
"allow_all": true,
"max_age": 3600
}
}
}To test this plugin out, run it locally by saving one of the above examples as metadata.json and running this:
datasette -m metadata.jsonWith Datasette 1.0 use -c config.json instead, or try this:
datasette -s plugins.datasette-cors.allow_all trueNow visit https://www.example.com/ in your browser, open the browser developer console and paste in the following:
fetch("http://127.0.0.1:8001/_memory.json?sql=select+sqlite_version%28%29").then(r => r.json()).then(console.log)If the plugin is working correctly, you will see the JSON response output to the console.