[jira] Commented: (COUCHDB-832) Handling HTTP OPTIONS method

2010-07-30 Thread luisbebop (JIRA) 

[ 
https://issues.apache.org/jira/browse/COUCHDB-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12894050#action_12894050
 ] 

luisbebop commented on COUCHDB-832:
---

Hi Chris.

You're are totally right. I created this patch to use CouchDb for a very 
specific application that some few users will use. The security flaw that I 
have allowing all domains in origin is not a big problem for me.

But for apply this implementation on trunk, I'd imagine a new configuration 
section where we can set the domains that we will allow on Origin header. The 
w3c cors spec recomends this control on server side. For example:

%we have to change this line, to get a list of allowed origins. Not the origin 
that came on header request.
Origin = header_value(Req, Origin, *), 
 
 DefaultHeaders = [
 {Content-Type, negotiate_content_type(Req)},
-{Cache-Control, must-revalidate}
+{Cache-Control, must-revalidate},
+{Access-Control-Allow-Origin, Origin},
+{Access-Control-Allow-Headers, Content-Type, Authorization},
+{Access-Control-Allow-Credentials, true}

I think we have 50% the job done. I'd appreciate if you implement the section 
and the function to get the allowed domains, because I'm a Erlang newbie.

Thanks for your response and the amazing work with couchdb and couch.io.

 Handling HTTP OPTIONS method
 

 Key: COUCHDB-832
 URL: https://issues.apache.org/jira/browse/COUCHDB-832
 Project: CouchDB
  Issue Type: Bug
  Components: HTTP Interface
Affects Versions: 1.0
Reporter: Stanisław

 Method OPTIONS is not allowed, which disables ability for cross-site 
 XMLHttpRequest (other than GET) within the browser (see: 
 http://www.w3.org/TR/cors)
 Current headers:
   curl -X OPTIONS http://localhost:5984 -v
   ...
HTTP/1.1 405 Method Not Allowed
Server: CouchDB/1.0.0 (Erlang OTP/R13B)
Date: Thu, 22 Jul 2010 17:56:59 GMT
Content-Type: text/plain;charset=utf-8
Content-Length: 64
Cache-Control: must-revalidate
Allow: GET,HEAD
 Expected headers:
   HTTP/1.1 200 OK
   Access-Control-Allow-Methods: POST, GET, OPTIONS
   Access-Control-Allow-Headers: X-PINGOTHER
 Stan.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (COUCHDB-832) Handling HTTP OPTIONS method

2010-07-29 Thread luisbebop (JIRA) 

[ 
https://issues.apache.org/jira/browse/COUCHDB-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12893792#action_12893792
 ] 

luisbebop commented on COUCHDB-832:
---

I created a patch for this issue. I've implemented the W3C CORS, including 
credentialed requests.

http://gist.github.com/499002

 Handling HTTP OPTIONS method
 

 Key: COUCHDB-832
 URL: https://issues.apache.org/jira/browse/COUCHDB-832
 Project: CouchDB
  Issue Type: Bug
  Components: HTTP Interface
Affects Versions: 1.0
Reporter: Stanisław

 Method OPTIONS is not allowed, which disables ability for cross-site 
 XMLHttpRequest (other than GET) within the browser (see: 
 http://www.w3.org/TR/cors)
 Current headers:
   curl -X OPTIONS http://localhost:5984 -v
   ...
HTTP/1.1 405 Method Not Allowed
Server: CouchDB/1.0.0 (Erlang OTP/R13B)
Date: Thu, 22 Jul 2010 17:56:59 GMT
Content-Type: text/plain;charset=utf-8
Content-Length: 64
Cache-Control: must-revalidate
Allow: GET,HEAD
 Expected headers:
   HTTP/1.1 200 OK
   Access-Control-Allow-Methods: POST, GET, OPTIONS
   Access-Control-Allow-Headers: X-PINGOTHER
 Stan.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.