Skip to content

Spec suggestion: Add CORS recommendation for SPXP servers #12

Open
Open
Spec suggestion: Add CORS recommendation for SPXP servers#12
@mwiesen

Description

@mwiesen
mwiesen
opened on Feb 18, 2026

Summary

The SPXP specification currently does not mention CORS (Cross-Origin Resource Sharing) headers. This makes it difficult to build browser-based SPXP clients without a proxy.

Problem

When fetching an SPXP profile from a browser:

fetch('https://spxp.org/spxp')
  .then(r => r.json())
  .then(console.log);

This fails in browsers due to missing CORS headers:

Access to fetch at 'https://spxp.org/spxp' from origin 'https://myapp.com' 
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header 
is present on the requested resource.

Suggestion

Add a SHOULD recommendation to the spec that SPXP servers include CORS headers:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Headers: Content-Type

This would enable:

  • Browser-based SPXP viewers/clients
  • JavaScript-based profile validators
  • Web-based development tools

Rationale

SPXP profiles are public by design (private content is encrypted). Allowing cross-origin access aligns with the protocol's philosophy of openness and client diversity.

Discovered while building a browser-based SPXP profile viewer.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions