Consistent origin host for a view (for CORS)

When creating a View feature (e.g. a board view), there are two options for hosting the html/js assets: (1) in my own iframe, or (2) uploading assets in a ZIP file.

The first option is fine, but in the second option the assets are hosted at https://64391103c33a0ba5.cdn2.monday.app/index.html or something similar.

To make a cross-domain request (to my own app’s backend), I need to whitelist 64391103c33a0ba5.cdn2.monday.app on my backend as an allowed CORS origin. (Due to your iframe’s policy that cross-origin needs to be strict and not *)

That can work, but I haven’t been able to find out whether we should expect that URL to be consistent indefinitely.

Will the URL remain the same across all users, app versions etc, going forward? Or should we expect variations in any part of it, e.g. is there a cdn3 server that might serve these assets etc?

1 Like

Hello there @danlester,

I checked this with the team. You should not depend on the URL not changing.

This is the way to verify that the call is coming from monday.

Let me know if you have any other questions!

Cheers,
Matias

You may need to create a custom CORS handler which will perform pattern matching on options requests, check if it matches the pattern https://..monday.app and then if so returns the sent origin value. If you want to be strict about it. This would handle the pre-flight requests. You’d configure your client in your app making the requests to your backend to do the preflight.

Thanks both. I think the only solution is as Cody says, to basically customise the allowed origin based on (reasonably acceptable) origins that are making the OPTIONS request in the first place.

But perhaps the easiest thing is to go for a self-hosted frontend iframe anyway.

1 Like

Yeah I concluded that self-hosting it is the only option if you want to use a backend and restrict CORS in any way.

1 Like