Allow multiple domains in CORS in pmtiles serve

[t0mk]

When serving tiles, it's sometimes useful to whitelist CORS "access" from more than one domain (but not from everywhere). It would be helpful for me if this was possible with pmtiles.

Since response header Access-Control-Allow-Origin only allows to specify one domain name, I think the server code could check Origin header from request, and if it would be one of the whitelisted origins, it would copy it to Access-Control-Allow-Origin in response.

The whitelisted CORS origins could be listed in the --cors argument, just comma-separated. For example:

pmtiles serve ./ --cors="https://mydomain.com,https://otherdomain.com"

I could contribute this. Would you be interested in taking it in?

[bdon]

This is intentionally limited to a single origin, because that CORS feature is intended only for development. If you need multiple CORS origins you should use a reverse proxy like Caddy or Nginx that already supports multiple origins via configuration.

[t0mk]

@bdon , thanks for answering. You are right, it makes more sense to do CORS handling elsewhere. It's just too handy to only use your Docker container in Google Cloud Run. For me, the least-amount-of-effort solution for multiple-CORS is to extend the code, keep local fork, build and push Docker container and just change the container image name in your GCP walkthrough:
https://docs.protomaps.com/deploy/google-cloud#creating-a-cloud-run-container

Thanks for the work on pmtiles and feel free to close this.

[thisisaaronland]

Just passing this along FYI: CORS support was added to the sfomuseum/go-sfomuseum-pmtiles wrapper that we use to serve pmtiles (using the rs/cors package).

[bdon]

You are right, it makes more sense to do CORS handling elsewhere. It's just too handy to only use your Docker container in Google Cloud Run.

It seems reasonable to add multiple CORS support via https://github.com/rs/cors, I imagined many use cases that use go-pmtiles are going to use a CDN in front, @t0mk are you accessing the Cloud Run directly from the browser with no caching in between?

[t0mk]

It seems reasonable to add multiple CORS support via https://github.com/rs/cors, I imagined many use cases that use go-pmtiles are going to use a CDN in front, @t0mk are you accessing the Cloud Run directly from the browser with no caching in between?

Yes, I access the cloud run service directly. For the time being it's good enough for me, I'm still experimenting - deciding if I should host tiles myself with pmtiles or just pay for Stadia map. I could configure loadbalancer with CDN, but I don't want to use (or even activate) Compute. I think I could configure CORS with the Google Cloud Loadbalancer.

[bdon]

@t0mk @thisisaaronland here is a quick spike on using rs/cors, which supports multiple origins as well as wildcards.

#192

This does clean up our own server code quite a bit.