apiconsole: allow uploads in console

By adding an XHR to "Try it out" requests, we can make non-JSON requests pass a CORS check.
2024-10-27 20:44:07 +00:00 · 2024-07-25 23:01:55 -04:00 · 2024-07-25 23:01:55 -04:00 · c9f9b70b67
commit c9f9b70b67
parent a9521a8544
1 changed files with 19 additions and 0 deletions
--- a/app/client/apiconsole.ts
+++ b/app/client/apiconsole.ts
@ -293,6 +293,25 @@ function initialize(appModel: AppModel) {

 function requestInterceptor(request: SwaggerUI.Request) {
  delete request.headers.Authorization;
+  const url = new URL(request.url);
+  // Swagger will use this request interceptor for several kinds of
+  // requests, such as requesting the API YAML spec from Github:
+  //
+  //      Function to intercept remote definition, "Try it out",
+  //      and OAuth 2.0 requests.
+  //
+  //    https://swagger.io/docs/open-source-tools/swagger-ui/usage/configuration/
+  //
+  // We want to ensure that only "Try it out" requests have XHR, so
+  // that they pass a same origin request, even if they're not GET,
+  // HEAD, or OPTIONS. "Try it out" requests are the requests to the
+  // same origin.
+  if (url.origin === window.origin) {
+    // Without this header, unauthenticated multipart POST requests
+    // (i.e. file uploads) would fail in the API console. We want those
+    // requests to succeed.
+    request.headers['X-Requested-With'] = 'XMLHttpRequest';
+  }
  return request;
 }