couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Smith <>
Subject CORS question: interaction of global and local config
Date Mon, 16 Jan 2012 02:35:19 GMT
Randall, Benoit, others:


The spec says to use the global config for non-DB resources, or if a
database has no _security object. Some questions:

1. What if there is a _security object but nothing about CORS? For
example, I use Futon to add a DB admin.

2. What if there is a _security config *and* a global config?

2a. Do allowed methods accumulate? E.g. _security says allow_methods
"GET, POST" and the config says allow_methods "GET, PUT". Is it (i)
"GET, POST", (ii) "GET, PUT, POST", or (iii), "GET, PUT"?

2b. What about max_age? Does the _security value win? The global value
win? Or does the greater or lesser value win?

3. If CORS is working for a db, but the global config has
httpd/cors_enabled=false, what is the response for that database?

Iris Couch

View raw message