couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject CORS feature.
Date Mon, 28 Nov 2011 10:38:20 GMT
Hi,
We had a great discussion today Jason, Randall and me about the CORS
feature [1] .
I'm positing here the current result that you can find on friendpaste
[2] too. I think it's
a pretty good start and we can begin to code it. Implementation is
mostly a merge
between jason proposal and mine imo. Thoughts ?

- benoƮt

[1] https://issues.apache.org/jira/browse/COUCHDB-431
[2] http://friendpaste.com/4q1zeNUEtPFS7XbioPYYzM

guidelinees :
------------------

    - rules shoudl be based on host .
    - rules depending on the resource :
      - server : rules defined in .ini
      - db : rules defined in .db

    - default cors policy :
        - allows credential = false
        - cors enabled
    - cors can be disabled globaly



    rules definiton :

    global wide

    [httpd]
    cors_enabled = true

    [origins]
    domain.tld = http://origin.tld, https://origin.tld

    [http://origin.tld]
    allow_methods = GET, POST
    allow_headers = x-couchdb-...
    allow_credentials = false


    [https://origin.tld]
    allow_methods = GET, PUT, POST, DELETE
    allow_headers = x-couchdb-...
    allow_credentials = true
    allow_server_admins = true
    max-age = 36000


    ond db _security object :


    {
        "origins": {
            "domain.tld": [
                {"http://origin.tld": { "allow_methods": "GET, POST",
    ...}
            ]
        }
    }



    work flow :

    is origins list empty in ini
    yes -> is admin party set ?
      yes -> return "*" , credentials false (with a good caching policy)
      no -> stop
    no ->
      is origin in .ini ?
      yes ->
        is origin in list ?
        yes ->
          set the cors headers based on .ini
          then are we on a db resource ?
            yes ->
              apply the intersection of .ini with db resource
        no -> stop
      no ->

Mime
View raw message