couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mikeal Rogers <mikeal.rog...@gmail.com>
Subject Access Control Headers
Date Thu, 14 Oct 2010 20:17:04 GMT
This has been brought up a few times but I think it's about time we come up
with a real plan to solve it.

CouchDB currently can't add access control headers for cross site HTTP
requests from the browser for anything other than show and list. That means
all the regular API calls as well as attachments can't be served with these
headers.

The latest issue I bumped in to was that Firefox implements these
restrictions for fetching fonts defined with @font-face, annoying!

http://www.w3.org/TR/cors/
https://developer.mozilla.org/En/HTTP_Access_Control

Some of the earlier discussion was centered around adding any arbitrary
headers to some user defined set of requests. I don't have a solid use case
in my head for headers other than Access Control nor do I think that any
other headers that could be added would have the same security implications
so I'd like to come up with a plan that is actually targeted at cross site
requests from the browser rather than some other generic feature for header
addition.

The suggestion that jchris had was that what we should probably do is allow
you to set in the config a database(s) that has these headers added to every
request with that db prefix.

These are the most common headers we need to worry about.

Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER
Access-Control-Allow-Credentials: true

I think the first 3 should be user configurable and, unless we have a good
objection, we always add "Access-Control-Allow-Credentials: true".

Thoughts?

-Mikeal

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message