couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Anderson (JIRA)" <j...@apache.org>
Subject [jira] Commented: (COUCHDB-832) Handling HTTP OPTIONS method
Date Thu, 29 Jul 2010 19:52:16 GMT

    [ https://issues.apache.org/jira/browse/COUCHDB-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12893795#action_12893795
] 

Chris Anderson commented on COUCHDB-832:
----------------------------------------

Could you describe the nature of this patch?

I'm vaguely familiar with the use of OPTIONS for pre-flight testing of the acceptance of cross-domain
requests.

Does this patch open up CouchDB to all cross-domain requests? Does that mean if you are logged
into a couch as an admin, and then you visit a malicious site, they can delete all your databases
/ trigger outbound replication / otherwise cause mayhem?

Or is this patch more controlled? I'd imagine if we are going to support this we'll need a
way to configure which domains are allowed to trigger cross domain requests. 

Maybe I'm totally off-base... please let us know what you think about these issues.

> Handling HTTP OPTIONS method
> ----------------------------
>
>                 Key: COUCHDB-832
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-832
>             Project: CouchDB
>          Issue Type: Bug
>          Components: HTTP Interface
>    Affects Versions: 1.0
>            Reporter: Stanisław
>
> Method OPTIONS is not allowed, which disables ability for cross-site XMLHttpRequest (other
than GET) within the browser (see: http://www.w3.org/TR/cors)
> Current headers:
>   curl -X OPTIONS http://localhost:5984 -v
>   ...
>   < HTTP/1.1 405 Method Not Allowed
>   < Server: CouchDB/1.0.0 (Erlang OTP/R13B)
>   < Date: Thu, 22 Jul 2010 17:56:59 GMT
>   < Content-Type: text/plain;charset=utf-8
>   < Content-Length: 64
>   < Cache-Control: must-revalidate
>   < Allow: GET,HEAD
> Expected headers:
>   HTTP/1.1 200 OK
>   Access-Control-Allow-Methods: POST, GET, OPTIONS
>   Access-Control-Allow-Headers: X-PINGOTHER
> Stan.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message