[ https://issues.apache.org/jira/browse/COUCHDB-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12893795#action_12893795 ]
Chris Anderson commented on COUCHDB-832: ---------------------------------------- Could you describe the nature of this patch? I'm vaguely familiar with the use of OPTIONS for pre-flight testing of the acceptance of cross-domain requests. Does this patch open up CouchDB to all cross-domain requests? Does that mean if you are logged into a couch as an admin, and then you visit a malicious site, they can delete all your databases / trigger outbound replication / otherwise cause mayhem? Or is this patch more controlled? I'd imagine if we are going to support this we'll need a way to configure which domains are allowed to trigger cross domain requests. Maybe I'm totally off-base... please let us know what you think about these issues. > Handling HTTP OPTIONS method > ---------------------------- > > Key: COUCHDB-832 > URL: https://issues.apache.org/jira/browse/COUCHDB-832 > Project: CouchDB > Issue Type: Bug > Components: HTTP Interface > Affects Versions: 1.0 > Reporter: Stanisław > > Method OPTIONS is not allowed, which disables ability for cross-site > XMLHttpRequest (other than GET) within the browser (see: > http://www.w3.org/TR/cors) > Current headers: > curl -X OPTIONS http://localhost:5984 -v > ... > < HTTP/1.1 405 Method Not Allowed > < Server: CouchDB/1.0.0 (Erlang OTP/R13B) > < Date: Thu, 22 Jul 2010 17:56:59 GMT > < Content-Type: text/plain;charset=utf-8 > < Content-Length: 64 > < Cache-Control: must-revalidate > < Allow: GET,HEAD > Expected headers: > HTTP/1.1 200 OK > Access-Control-Allow-Methods: POST, GET, OPTIONS > Access-Control-Allow-Headers: X-PINGOTHER > Stan. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.