[
https://issues.apache.org/jira/browse/COUCHDB-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12893795#action_12893795
]
Chris Anderson commented on COUCHDB-832:
----------------------------------------
Could you describe the nature of this patch?
I'm vaguely familiar with the use of OPTIONS for pre-flight testing of the
acceptance of cross-domain requests.
Does this patch open up CouchDB to all cross-domain requests? Does that mean if
you are logged into a couch as an admin, and then you visit a malicious site,
they can delete all your databases / trigger outbound replication / otherwise
cause mayhem?
Or is this patch more controlled? I'd imagine if we are going to support this
we'll need a way to configure which domains are allowed to trigger cross domain
requests.
Maybe I'm totally off-base... please let us know what you think about these
issues.
> Handling HTTP OPTIONS method
> ----------------------------
>
> Key: COUCHDB-832
> URL: https://issues.apache.org/jira/browse/COUCHDB-832
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.0
> Reporter: Stanisław
>
> Method OPTIONS is not allowed, which disables ability for cross-site
> XMLHttpRequest (other than GET) within the browser (see:
> http://www.w3.org/TR/cors)
> Current headers:
> curl -X OPTIONS http://localhost:5984 -v
> ...
> < HTTP/1.1 405 Method Not Allowed
> < Server: CouchDB/1.0.0 (Erlang OTP/R13B)
> < Date: Thu, 22 Jul 2010 17:56:59 GMT
> < Content-Type: text/plain;charset=utf-8
> < Content-Length: 64
> < Cache-Control: must-revalidate
> < Allow: GET,HEAD
> Expected headers:
> HTTP/1.1 200 OK
> Access-Control-Allow-Methods: POST, GET, OPTIONS
> Access-Control-Allow-Headers: X-PINGOTHER
> Stan.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
