Return-Path: 
 <dev-return-19535-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-dev-archive@www.apache.org
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id EBA00908F
	for <apmail-couchdb-dev-archive@www.apache.org>;
 Mon, 28 Nov 2011 10:50:36 +0000 (UTC)
Received: (qmail 45668 invoked by uid 500); 28 Nov 2011 10:50:36 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 45492 invoked by uid 500); 28 Nov 2011 10:50:36 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 45484 invoked by uid 99); 28 Nov 2011 10:50:36 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 Nov 2011 10:50:36 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of bchesneau@gmail.com
 designates 74.125.83.52 as permitted sender)
Received: from [74.125.83.52] (HELO mail-ee0-f52.google.com) (74.125.83.52)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 Nov 2011 10:50:30 +0000
Received: by eekd49 with SMTP id d49so572707eek.11
        for <dev@couchdb.apache.org>; Mon, 28 Nov 2011 02:50:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        bh=G1LgNd1MRavA1R3yNpeh6PFeYiueCxHpQ1nWGgLFwpw=;
        b=I9ONmzn+/6ZhcX/dG+q2egc5ZM6Cp2jVtj2YN5PYDHUWSBvOI6008ShP+E1SwZ/lVw
         X3Vl6MDiFCSJ4KudHTujcai5ElO4CNDIZ+3Iw6OgvdJOdgBQc+B4uaSMnf867xyceYzo
         OAGAw9ywCe6Z8MJP2zwjKSUX7iiUMImq8wGc8=
MIME-Version: 1.0
Received: by 10.14.10.148 with SMTP id 20mr2466629eev.154.1322477408922; Mon,
 28 Nov 2011 02:50:08 -0800 (PST)
Received: by 10.14.53.75 with HTTP; Mon, 28 Nov 2011 02:50:08 -0800 (PST)
In-Reply-To: 
 <CAJNb-9rYnfwGLVr12zB8k1kRpDwGFQnb_Zukdr7vyFrdBBh0VQ@mail.gmail.com>
References: 
 <CAJNb-9rYnfwGLVr12zB8k1kRpDwGFQnb_Zukdr7vyFrdBBh0VQ@mail.gmail.com>
Date: Mon, 28 Nov 2011 11:50:08 +0100
Message-ID: 
 <CAJNb-9q_CwWkrDAxLDoAwhpti5af+Jwe2jHqKGYW0xtirTet0A@mail.gmail.com>
Subject: Re: CORS feature.
From: Benoit Chesneau <bchesneau@gmail.com>
To: dev@couchdb.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Mon, Nov 28, 2011 at 11:38 AM, Benoit Chesneau <bchesneau@gmail.com> wro=
te:
> Hi,
> We had a great discussion today Jason, Randall and me about the CORS
> feature [1] .
> I'm positing here the current result that you can find on friendpaste
> [2] too. I think it's
> a pretty good start and we can begin to code it. Implementation is
> mostly a merge
> between jason proposal and mine imo. Thoughts ?
>
> - beno=EEt
>
> [1] https://issues.apache.org/jira/browse/COUCHDB-431
> [2] http://friendpaste.com/4q1zeNUEtPFS7XbioPYYzM
>
> guidelinees :
> ------------------
>
> =A0 =A0- rules shoudl be based on host .
> =A0 =A0- rules depending on the resource :
> =A0 =A0 =A0- server : rules defined in .ini
> =A0 =A0 =A0- db : rules defined in .db
>
> =A0 =A0- default cors policy :
> =A0 =A0 =A0 =A0- allows credential =3D false
> =A0 =A0 =A0 =A0- cors enabled
> =A0 =A0- cors can be disabled globaly
>
>
>
> =A0 =A0rules definiton :
>
> =A0 =A0global wide
>
> =A0 =A0[httpd]
> =A0 =A0cors_enabled =3D true
>
> =A0 =A0[origins]
> =A0 =A0domain.tld =3D http://origin.tld, https://origin.tld
>
> =A0 =A0[http://origin.tld]
> =A0 =A0allow_methods =3D GET, POST
> =A0 =A0allow_headers =3D x-couchdb-...
> =A0 =A0allow_credentials =3D false
>
>
> =A0 =A0[https://origin.tld]
> =A0 =A0allow_methods =3D GET, PUT, POST, DELETE
> =A0 =A0allow_headers =3D x-couchdb-...
> =A0 =A0allow_credentials =3D true
> =A0 =A0allow_server_admins =3D true
> =A0 =A0max-age =3D 36000
>
>
> =A0 =A0ond db _security object :
>
>
> =A0 =A0{
> =A0 =A0 =A0 =A0"origins": {
> =A0 =A0 =A0 =A0 =A0 =A0"domain.tld": [
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0{"http://origin.tld": { "allow_methods": "=
GET, POST",
> =A0 =A0...}
> =A0 =A0 =A0 =A0 =A0 =A0]
> =A0 =A0 =A0 =A0}
> =A0 =A0}
>
>
>
> =A0 =A0work flow :
>
> =A0 =A0is origins list empty in ini
> =A0 =A0yes -> is admin party set ?
> =A0 =A0 =A0yes -> return "*" , credentials false (with a good caching pol=
icy)
> =A0 =A0 =A0no -> stop
> =A0 =A0no ->
> =A0 =A0 =A0is origin in .ini ?
> =A0 =A0 =A0yes ->
> =A0 =A0 =A0 =A0is origin in list ?
> =A0 =A0 =A0 =A0yes ->
> =A0 =A0 =A0 =A0 =A0set the cors headers based on .ini
> =A0 =A0 =A0 =A0 =A0then are we on a db resource ?
> =A0 =A0 =A0 =A0 =A0 =A0yes ->
> =A0 =A0 =A0 =A0 =A0 =A0 =A0apply the intersection of .ini with db resourc=
e
> =A0 =A0 =A0 =A0no -> stop
> =A0 =A0 =A0no ->
>


quick not about hosts. It should be abble to set '*' to manage origins
for any hosts.

- beno=EEt