Is it possible enable CORS

[barnabas-szekeres]

I didn't find any information about CORS settings in documentation :(

Is it possible to modify and allow concrete domains?

[CaroFG]

Hello! Sorry nobody answered your question before. It is not possible to modify CORS for now, sorry :( But you could use a reverse proxy (Nginx for example) to set headers like Access-Control-Allow-Origin :)

[CaroFG]

Check this issue: meilisearch/documentation#678

[candidosales]

@CaroFG , one of meilisearch's philosophies is to improve the developer experience. This way presented in the thread above does not work for those deploying Meilisearch using Docker.

I use Meilisearch Docker deployed in Render, and it would be handy to have an environment variable to configure CORS, like:

• MEILI_HTTP_CORS_HEADER_RULES: 'http://localhost:8080','https://*.vercel.app','https://producation.domain.com'

[CaroFG]

Hi @candidosales , thank you for your input!
@gmourier shall we move this suggestion to the product repo?

[gmourier]

Hello @candidosales and @CaroFG 👋

I'm sorry for the late answer, I have transferred it to the product repository as a discussion and will come back to it whenever we can

[balach]

Not sure if this has now been enabled for self-hosted instances, but I have a similar need for MeiliSearch Cloud. Currently the Meili Servers set Access-Control-Allow-Origin to *, which is great until someone opens your frontend on Safari. Safari with its strict security controls tends to block these requests sporadically, and you could say they should do a better job, but it is what it is, and people suggest that chrome will follow.
This post explains the issue in a bit more detail: https://medium.com/prodigy-engineering/is-safari-getting-stricter-with-cors-8767c809c726

Ask:
Expose a setting on project or ideally index level, that let's the admin set explicit values for Access-Control-Allow-Origin, with "*" being the default.
Allowing the setting to be on index level would help me setup a lighter index to use against our staging environment where I leave Access-Control-Allow-Origin to *, as it'll be used for localhost development.

P.S. I have noticed the issue with another firebase API I use as well, so it really seems like a matter of setting the right header.

[macraig]

Hi @balach , thank you for the detailed feedback. We will look into this during our future planning sessions.

[CaroFG]

I think we should change the category to "feedback and feature proposal", wdyt @gmourier, @macraig ?

[macraig]

Thanks for flagging @CaroFG , I've moved it to the feedback and feature request section