Well we could specify that software must implement the procedure, and not actually require servers to accept requests from all origins?
On 4 Aug 2010, at 16:26, Thomas Down wrote: > Despite being a strong CORS advocate (and not just for DAS -- it'll be > beneficial for a whole raft of services), I'm actually a bit reluctant to > make it mandatory without some rather careful though. > > Unrestricted CORS is, as far as I can tell, always appropriate for public DAS > servers offering data to the community. It's probably also good for > password-protected-by-publically-routable servers (although the > implementation gets a wee bit more complex in that case). > > However, if you're running a DAS server behind a firewall, CORS does > potentially open you to possible security issues which wouldn't otherwise be > present. In the most security-conscious environments, people might want to > just whitelist the origins of specific clients. > > How about including a link to the CORS spec and saying "implementation is > strongly encouraged", or something like that? > > thomas. > > On Wed, Aug 4, 2010 at 3:58 PM, Andy Jenkinson <[email protected]> > wrote: > Since this seems to have been given the thumbs up, shall we make CORS support > mandatory from 1.6 onwards? > > I suggested this when it first came up last year, but I got no replies so > didn't put it in the spec. I suspect because it was in the middle of a flurry > of emails about "maxbins" :) > > On 3 Aug 2010, at 22:28, Thomas Down wrote: > > > Jonathan's written a nice summary here: > > > > http://biodasman.wordpress.com/2010/07/20/cors/ > > > > But briefly... it's the "official" way to work around the same-origin > > policy (by default, browsers only allow unsigned javascript to trigger HTTP > > requests to the server from which it was originally downloaded). The > > specification is here: > > > > http://www.w3.org/TR/cors/ > > > > (Please don't be too alarmed by the datestamp! The core parts have been > > stable for > a year now, and it's well supported by Mozilla, WebKit, and -- > > via a slightly different API -- Internet Explorer). > > > > If you're running a public server and want it to be CORS accessible, all > > that is needed is to emit the header: > > > > Access-Control-Allow-Origin: * > > > > ...and you're done. > > > > (If you're running password-protected DAS servers, or DAS servers hosting > > sensitive information behind a firewall, you might want a slightly more > > sophisticated CORS implementation. Happy to discuss if anyone is > > interested). > > > > Thomas. > > > > On Tue, Aug 3, 2010 at 10:21 PM, Lincoln Stein > > <[email protected]>wrote: > > > >> Someone give me a quick summary of CORS support. I want to make sure that > >> GBrowse exports DAS 1.53 with CORS (is it just the registry metadata, or > >> something new?) > >> > >> Lincoln > >> > >> On Tue, Aug 3, 2010 at 4:52 PM, Jonathan Warren <[email protected]> wrote: > >> > >>> This is very cool - I had a look the other day. Was wondering why some > >>> sources could be attached and some can't.... > >>> Best browser experience yet by far I'd say. > >>> > >>> No problems about adding CORS support - for the record I'm very happy to > >>> implement new capabilities testing and other suggestions to the registry > >>> from anyone who cares to drop me a line. Especially if it's going to > >>> enhance > >>> and promote the use of the registry :) > >>> > >>> > >>> > >>> On 3 Aug 2010, at 20:41, Thomas Down wrote: > >>> > >>> As some of you already know, I've been experimenting recently with a > >>>> web-based DAS client for genomic data. It's still in > >>>> a unashamedly prototypical state (in particular, some of the popups and > >>>> configuration stuff is outright clunky, and we know it!), but we're > >>>> starting > >>>> to find it quite useful, and would be interested to receive more > >>>> feedback. > >>>> So if you're curious, you can try it here: > >>>> > >>>> http://www.biodalliance.org/human/ncbi36/ > >>>> > >>>> It's a fully-fledged DAS/1.53 client (with a few bits of DAS/1.6, and > >>>> hopefully rather more coming soon), but has one major caveat: since it's > >>>> pure Javascript code running in your web browser, there are limitations > >>>> to > >>>> which servers it can connect to. Specifically, it will only work with > >>>> DAS > >>>> servers that implement the W3C cross-origin resource sharing model (which > >>>> has been discussed on this list before, but drop me a line if you've got > >>>> any > >>>> questions). What does this mean in practice? If you're adding > >>>> datasources > >>>> from the registry, things are simple because Dalliance will only allow > >>>> you > >>>> to add CORS-enabled sources (a huge thanks to Jonathan Warren for adding > >>>> some support for this in the registry). If you run your own DAS servers > >>>> and > >>>> don't list them in the registry, you'll need to check for CORS > >>>> compatibility > >>>> yourself. The latest versions of Proserver and Dazzle should both be > >>>> okay. > >>>> > >>>> All comments, suggestions, and bug reports are welcome! > >>>> > >>>> Thomas Down. > >>>> _______________________________________________ > >>>> DAS mailing list > >>>> [email protected] > >>>> http://lists.open-bio.org/mailman/listinfo/das > >>>> > >>> > >>> Jonathan Warren > >>> Senior Developer and DAS coordinator > >>> blog: http://biodasman.wordpress.com/ > >>> [email protected] > >>> Ext: 2314 > >>> Telephone: 01223 492314 > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> -- > >>> The Wellcome Trust Sanger Institute is operated by Genome ResearchLimited, > >>> a charity registered in England with number 1021457 and acompany > >>> registered > >>> in England with number 2742969, whose registeredoffice is 215 Euston Road, > >>> London, NW1 2BE._______________________________________________ > >>> > >>> DAS mailing list > >>> [email protected] > >>> http://lists.open-bio.org/mailman/listinfo/das > >>> > >> > >> > >> > >> -- > >> Lincoln D. Stein > >> Director, Informatics and Biocomputing Platform > >> Ontario Institute for Cancer Research > >> 101 College St., Suite 800 > >> Toronto, ON, Canada M5G0A3 > >> 416 673-8514 > >> Assistant: Renata Musa <[email protected]> > >> > > _______________________________________________ > > DAS mailing list > > [email protected] > > http://lists.open-bio.org/mailman/listinfo/das > > _______________________________________________ DAS mailing list [email protected] http://lists.open-bio.org/mailman/listinfo/das
