Access-Control-Allow-Origin: *
is maybe a bad idea for the status-page-api, since other websites could derive the geo-location of the wifi client from the status page by accessing the api via ajax.
For reference: similar issue in the wifi of DB
Very true. I see two possible solutions without totally breaking the status page:
Access-Control-Allow-Origin: $site.next_node.name$
. This will only display neighbour data if the status page is originally called via the next_node address (even if you then navigate away from your next node).I like (2). It seems like a small change and it will address the problem. <<<- I changed my mind. I like linking even more.
While this will need some transition time, we should simply change the status page to actually link to other nodes' status pages instead of only changing the backend URL when another node is selected, thus avoiding the whole issue.
We could still provide a single Access-Control-Allow-Origin: *
endpoint just returning an empty page that can be used to check reachablity (and select a neighbour node's address based on this, like it is already done for the backend URL at the moment).
Most helpful comment
While this will need some transition time, we should simply change the status page to actually link to other nodes' status pages instead of only changing the backend URL when another node is selected, thus avoiding the whole issue.
We could still provide a single
Access-Control-Allow-Origin: *
endpoint just returning an empty page that can be used to check reachablity (and select a neighbour node's address based on this, like it is already done for the backend URL at the moment).