couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Randall Leeds (Commented) (JIRA)" <>
Subject [jira] [Commented] (COUCHDB-431) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
Date Sun, 27 Nov 2011 13:02:40 GMT


Randall Leeds commented on COUCHDB-431:

After talking more about this today, it seems Benoit have sorted this out a bit more.
- We MUST not allow the preflight request cache to accidentally circumvent CORS settings for
any path
- We SHOULD should both vhost-based configuration and db-level configuration

It's important to support both configurations. I reason that some dbs may want to allow any
combination of read-only/read-write (don't forget to filter X-Request-Method!), anonymous/authenticated,
and any set of headers; sometimes CouchDB is deployed without vhosts; server administrators
MAY want to force CORS settings for a vhost despite any db settings. I don't see a clean way
to fully support the options in the spec from a vhost/config-only approach. The security object
is more flexible and unifies access control in one place.

After some consideration, I hope I have correctly determined that Jason's main fear with configuration
via the _security object is that the invariant I listed first could be violated by a server
which specifies, via _security objects on two or more databases, different access controls
for two paths on the same origin. I would like to suggest that forcing the "Access-Control-Max-Age"
header to "0" is sufficient to ensure good behaviour with _security objects specifying access
control. Therefore, I'm working on a merge with unifies both patches and delegates to the
db when nothing is set on the config level with these considerations in mind.

Finally, I think I want to do another couple of things as well before this is merged:
- For db-level configuration, it should be possible to customise Credentials, Method, and
- Default should be to deny all origins, both on the preflight and the final request. This
applies to vhost-level configs, too.

How does this sit with both of you? Give me your thoughts and I'll try to finish synthesising
a merge when I wake up.
> Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
> -----------------------------------------------------------------------------------
>                 Key: COUCHDB-431
>                 URL:
>             Project: CouchDB
>          Issue Type: New Feature
>          Components: HTTP Interface
>    Affects Versions: 0.9
>            Reporter: James Burke
>            Assignee: Benoit Chesneau
>            Priority: Minor
>             Fix For: 1.2
>         Attachments: 0001-cors-support.-should-fix-COUCHDB-431-2.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch,
0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch,
0001-cors-support.-should-fix-COUCHDB-431.patch, A_0001-Generalize-computing-the-appropriate-headers-for-any.patch,
A_0002-Send-server-headers-for-externals-responses.patch, A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch,
A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, cors.html, cors_test.html, test_cors2-1.tgz,
> Historically, browsers have been restricted to making XMLHttpRequests (XHRs) to the same
origin (domain) as the web page making the request. However, the latest browsers now support
cross-domain requests by implementing the Access Control spec from the W3C:
> In order to keep older servers safe that assume browsers only do same-domain requests,
the Access Control spec requires the server to opt-in to allow cross domain requests by the
use of special HTTP headers and supporting some "pre-flight" HTTP calls.
> Why should CouchDB support this: in larger, high traffic site, it is common to serve
the static UI files from a separate, differently scaled server complex than the data access/API
server layer. Also, there are some API services that are meant to be centrally hosted, but
allow API consumers to use the API from different domains. In these cases, the UI in the browser
would need to do cross domain requests to access CouchDB servers that act as the API/data
access server layer.
> JSONP is not enough in these cases since it is limited to GET requests, so no POSTing
or PUTing of documents.
> Some information from Firefox's perspective (functionality available as of Firefox 3.5):
> And information on Safari/Webkit (functionality in latest WebKit and Safari 4):
> IE 8 also uses the Access Control spec, but the requests have to go through their XDomainRequest
object (XDR):
> and I thought IE8 only allowed GET or POST requests through their XDR.
> But as far as CouchDB is concerned, implementing the Access Control headers should be
enough, and hopefully IE 9 will allow normal xdomain requests via XHR.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message