CORS for Gramps Web API

avanc · October 8, 2025, 1:56pm

Hello,

I want to create a small web page with summarizes me some content stored in Gramps Web. But as this page is served from a different location than the backend, I get CORS errors.

As CORS is just a client-side (browser) implementation, there is no security benefit for the backend, as other clients can just connect to the backend.

Therefore, my proposal is to add CORS header (Access-Control-Allow-Origin: *) to the backend responses.

Before creating a corresponding feature/pull request I wanted to discuss the implications here. Are there any arguments against this change?

Thanks

Sven

DavidMStraub · October 8, 2025, 2:09pm

Sure, use CORS_ORIGINS, see Server configuration - Gramps Web.

avanc · October 8, 2025, 3:47pm

Thanks for the hint, I missed that configuration.
Is there a good reason to not have it set per default?

DavidMStraub · October 8, 2025, 3:58pm

Well … I think it makes sense to be more cautious by default and it’s trivial to change. It’s true that it doesn’t bring a security benefit for the backend, but it’s still not completely useless for the frontend/backend combination, depending on what the server owner wants…

Topic		Replies	Views
GrampsJS Setup - CORS Error and port change request Development websolutions	29	1918	December 7, 2021
Is it possible to configure GrampsWeb to run on url like https://<domain>/grampsweb? Gramps Web websolutions	23	607	June 18, 2024
Web page reports have no content Help websolutions	11	1260	June 6, 2020
Standing up a Gramps Web server Gramps Web	9	605	June 23, 2023
Gramps architecture Development	5	471	October 17, 2021

CORS for Gramps Web API

Related topics