Observable CORS for AWS Galaxy

[HadleyKing]

On galaxy.hyphy.org, we service requests from https://${USERNAME}.static.observableusercontent.com/ (where ${USERNAME} is the user who owns the ObservableHQ notebook) in our NGINX logs. I think the corresponding edit for Apache would be something like:

Header set Access-Control-Allow-Origin "https://*.static.observableusercontent.com/"
Header set Access-Control-Allow-Methods "GET"
Header set Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range"

in /etc/httpd/conf.d/galaxy.conf.

Normally I’d just make this edit myself, check the configs (seems like sudo httpd -t for Apache) and restart the httpd. But since this is a (minor) security concern and it’s your system, I figured I’d run this by you and Dacian first.

[dacianstremtan]

Who is the ${USERNAME}, valid galaxy users?

What is the content brought over via the ORIGIN permissions?

[stephenshank]

Username is the ObservableHQ user. My account is https://observablehq.com/@stephenshank and thus my ${USERNAME} would be stephenshank. For example, Hadley's Galaxy account could in principle target my ObservableHQ user's notebook.

Right now we make queries to Galaxy's API, either requesting files by dataset ID:
https://galaxy.hyphy.org/api/datasets/9bae0b6aed6006a1/display?to_ext=fasta

or history metadata via history ID:
https://galaxy.hyphy.org/api/histories/507bf06c009b95ec

though several GET routes may be of future interest: https://galaxy.hyphy.org/api/docs

[stephenshank]

Any thoughts on whether this edit would be admissible @dacianstremtan? It would really help me test some critical functionality.

[dacianstremtan]

You are trying to pull information from the galaxy instance into an obervablehq dashboard?

[stephenshank]

I am trying to pull information from Galaxy into an ObservableHQ notebook (so ObservableHQ makes the requests to Galaxy).

[dacianstremtan]

That should be fine. As long as you don't push data into galaxy I don't see an issue.