Cdn.wanikani.com and CORS

WaniKani API And Third-Party Apps
10

Its not a problem :slight_smile:

Finally found some time to get myself in front of a computer.

Here is a cURL to one of the SVGs.

curl -H "Origin: https://www.wkstats.com" --verbose https://cdn.wanikani.com/images/legacy/98-subject-1-with-css-original.svg\?1520987072

*   Trying 13.32.254.54...
* TCP_NODELAY set
* Connected to cdn.wanikani.com (13.32.254.54) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: OU=Domain Control Validated; OU=EssentialSSL Wildcard; CN=*.wanikani.com
*  start date: May 16 00:00:00 2016 GMT
*  expire date: Jun 15 23:59:59 2019 GMT
*  subjectAltName: host "cdn.wanikani.com" matched cert's "*.wanikani.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fd4a980d600)
> GET /images/legacy/98-subject-1-with-css-original.svg?1520987072 HTTP/2
> Host: cdn.wanikani.com
> User-Agent: curl/7.54.0
> Accept: */*
> Origin: https://www.wkstats.com
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200 
< content-type: image/svg+xml
< content-length: 257
< date: Fri, 12 Oct 2018 04:57:42 GMT
< access-control-allow-origin: *
< access-control-allow-methods: GET
< access-control-max-age: 86400
< last-modified: Wed, 14 Mar 2018 00:24:33 GMT
< etag: "6dd0e5beb1cf1c38b2faf842d711c019"
< accept-ranges: bytes
< server: AmazonS3
< vary: Origin,Access-Control-Request-Headers,Access-Control-Request-Method
< x-cache: Miss from cloudfront
< via: 1.1 400e19a7f70282e0817451f6606ca8f9.cloudfront.net (CloudFront)
< x-amz-cf-id: AlAvGSmwxLGj10PtGiZaisdI-5taPL-fGrUAq_RcYSzJno8cx4b23g==
< 
* Connection #0 to host cdn.wanikani.com left intact
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 1000"><defs><style>.a{fill:none;stroke:#000;stroke-linecap:square;stroke-miterlimit:2;stroke-width:68px;}</style></defs><title>ground</title><line class="a" x1="60" y1="500" x2="940" y2="500"/></svg>

Looks like it is returning a splat origin now.

access-control-allow-origin: *
1 Like