[jira] Commented: (COUCHDB-832) Handling HTTP OPTIONS method
[ https://issues.apache.org/jira/browse/COUCHDB-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12894050#action_12894050 ] luisbebop commented on COUCHDB-832: --- Hi Chris. You're are totally right. I created this patch to use CouchDb for a very specific application that some few users will use. The security flaw that I have allowing all domains in origin is not a big problem for me. But for apply this implementation on trunk, I'd imagine a new configuration section where we can set the domains that we will allow on Origin header. The w3c cors spec recomends this control on server side. For example: %we have to change this line, to get a list of allowed origins. Not the origin that came on header request. Origin = header_value(Req, Origin, *), DefaultHeaders = [ {Content-Type, negotiate_content_type(Req)}, -{Cache-Control, must-revalidate} +{Cache-Control, must-revalidate}, +{Access-Control-Allow-Origin, Origin}, +{Access-Control-Allow-Headers, Content-Type, Authorization}, +{Access-Control-Allow-Credentials, true} I think we have 50% the job done. I'd appreciate if you implement the section and the function to get the allowed domains, because I'm a Erlang newbie. Thanks for your response and the amazing work with couchdb and couch.io. Handling HTTP OPTIONS method Key: COUCHDB-832 URL: https://issues.apache.org/jira/browse/COUCHDB-832 Project: CouchDB Issue Type: Bug Components: HTTP Interface Affects Versions: 1.0 Reporter: Stanisław Method OPTIONS is not allowed, which disables ability for cross-site XMLHttpRequest (other than GET) within the browser (see: http://www.w3.org/TR/cors) Current headers: curl -X OPTIONS http://localhost:5984 -v ... HTTP/1.1 405 Method Not Allowed Server: CouchDB/1.0.0 (Erlang OTP/R13B) Date: Thu, 22 Jul 2010 17:56:59 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 64 Cache-Control: must-revalidate Allow: GET,HEAD Expected headers: HTTP/1.1 200 OK Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-PINGOTHER Stan. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (COUCHDB-832) Handling HTTP OPTIONS method
[ https://issues.apache.org/jira/browse/COUCHDB-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12893792#action_12893792 ] luisbebop commented on COUCHDB-832: --- I created a patch for this issue. I've implemented the W3C CORS, including credentialed requests. http://gist.github.com/499002 Handling HTTP OPTIONS method Key: COUCHDB-832 URL: https://issues.apache.org/jira/browse/COUCHDB-832 Project: CouchDB Issue Type: Bug Components: HTTP Interface Affects Versions: 1.0 Reporter: Stanisław Method OPTIONS is not allowed, which disables ability for cross-site XMLHttpRequest (other than GET) within the browser (see: http://www.w3.org/TR/cors) Current headers: curl -X OPTIONS http://localhost:5984 -v ... HTTP/1.1 405 Method Not Allowed Server: CouchDB/1.0.0 (Erlang OTP/R13B) Date: Thu, 22 Jul 2010 17:56:59 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 64 Cache-Control: must-revalidate Allow: GET,HEAD Expected headers: HTTP/1.1 200 OK Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-PINGOTHER Stan. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (COUCHDB-832) Handling HTTP OPTIONS method
[ https://issues.apache.org/jira/browse/COUCHDB-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12893795#action_12893795 ] Chris Anderson commented on COUCHDB-832: Could you describe the nature of this patch? I'm vaguely familiar with the use of OPTIONS for pre-flight testing of the acceptance of cross-domain requests. Does this patch open up CouchDB to all cross-domain requests? Does that mean if you are logged into a couch as an admin, and then you visit a malicious site, they can delete all your databases / trigger outbound replication / otherwise cause mayhem? Or is this patch more controlled? I'd imagine if we are going to support this we'll need a way to configure which domains are allowed to trigger cross domain requests. Maybe I'm totally off-base... please let us know what you think about these issues. Handling HTTP OPTIONS method Key: COUCHDB-832 URL: https://issues.apache.org/jira/browse/COUCHDB-832 Project: CouchDB Issue Type: Bug Components: HTTP Interface Affects Versions: 1.0 Reporter: Stanisław Method OPTIONS is not allowed, which disables ability for cross-site XMLHttpRequest (other than GET) within the browser (see: http://www.w3.org/TR/cors) Current headers: curl -X OPTIONS http://localhost:5984 -v ... HTTP/1.1 405 Method Not Allowed Server: CouchDB/1.0.0 (Erlang OTP/R13B) Date: Thu, 22 Jul 2010 17:56:59 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 64 Cache-Control: must-revalidate Allow: GET,HEAD Expected headers: HTTP/1.1 200 OK Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-PINGOTHER Stan. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.