upleb.uk

Public git repos — served from a NIP-34 GRASP relay at git.upleb.uk

summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--05.md13
1 files changed, 13 insertions, 0 deletions
diff --git a/05.md b/05.md
index a006ac1..3267960 100644
--- a/05.md
+++ b/05.md
@@ -50,3 +50,16 @@ Clients may treat the identifier `_@domain` as the "root" identifier, and choose
50### Reasoning for the `/.well-known/nostr.json?name=<local-part>` format 50### Reasoning for the `/.well-known/nostr.json?name=<local-part>` format
51 51
52By adding the `<local-part>` as a query string instead of as part of the path the protocol can support both dynamic servers that can generate JSON on-demand and static servers with a JSON file in it that may contain multiple names. 52By adding the `<local-part>` as a query string instead of as part of the path the protocol can support both dynamic servers that can generate JSON on-demand and static servers with a JSON file in it that may contain multiple names.
53
54### Allowing access from Javascript apps
55
56Javascript Nostr apps may be restricted by browser [CORS][] policies that prevent them from accesing `nostr.json` on the user's domain. When CORS prevents JS from loading a resource, the JS program sees it as a network failure identical to the resource not existing, so it is not possible for a pure-JS app to tell the user for certain that the failure was caused by a CORS issue. JS Nostr apps that see network failures requesting `nostr.json` files may want to recommend to users that they check the CORS policy of their servers, e.g.:
57
58```bash
59$ curl -sI https://example.com/.well-known/nostr.json?name=bob | grep ^Access-Control
60Access-Control-Allow-Origin: *
61```
62
63Users should ensure that their `nostr.json` is served with the HTTP header `Access-Control-Allow-Origin: *` to ensure it can be validated by pure JS apps running in modern browsers.
64
65[CORS]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS