Allow getting a GPX in the browser outside openstreetmap.org

[HarelM]

Problem

My site (and app) are uploading the recording to OSM by default to enrich OSM with the data people are collecting.
I would like to avoid the need to go through my backend to fetch a GPX file (private one).
Currently the api returns a 302 redirect, which can't be handled by the browser since there's an authentication header needed in order to get the route (OAuth 2).

Description

I would like to get the GPX trace in the browser outside openstreetmap.org using the OSM api endpoint to allow seeing it, editing it if needed and share it with other people outside the OSM website.

The API exists, but since there's a redirect there, it's impossible to fetch it in the browser without going through a proxy...

Screenshots

[tomhughes]

This doesn't seem to be an authentication issue?

You seem to be reaching the API endpoint (which I don't believe needs authentication) and you're getting a redirect to S3 which is not something we can avoid unless we build our own proxy.

The problem is that the redirect is being rejected by CORS seemingly because your request was preflighted, but a simple GET request shouldn't need to be preflighted?

[HarelM]

Here's an example of a call to get the data of one of my traces:
Running the following code in the browser console when surfing to https://israelhiking.osm.org.il/:

fetch("https://api.openstreetmap.org/api/0.6/gpx/4192873/data").then(r => r.text()).then(console.log)

Which is expected, as this trace is not "fully public", and thus requires authentication.
When adding the OAath2 token as a header I get this:

fetch("https://api.openstreetmap.org/api/0.6/gpx/4192873/data", { method: "GET", headers: {Authorization: "Bearer my-token-reducted"}}).then(r => r.text()).then(console.log)

I get the following error:

While there might not be a need to send preflight request, the browser does this anyway and thus prevents from getting the data right from the browser.
Is it possible to add CORS support for the relevant endpoint?
Am I doing something wrong?

[tomhughes]

Ah OK the fact that the trace is not public is important information.

As I say we can't really avoid the redirect so the question becomes, can we relax the CORS policy to make this work, and what are the security implications of doing so. I'll have to do some investigation.

[HarelM]

Thanks for looking into this and for the super quick response as usual!
If there's more information I can provide or otherwise help, do let me know.
Relaxing the CORS sounds like the right direction.

[tomhughes]

I think I might have misunderstood what's happening. I think what is actually happening is the OPTIONS preflight request is reaching our code and being redirected, but Rack::Cors should have handled it and it should never reach us so I will need to try and figure that out.