From dev-return-24066-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org Mon Nov 12 17:23:15 2012 Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C8A6ADFC9 for ; Mon, 12 Nov 2012 17:23:15 +0000 (UTC) Received: (qmail 57981 invoked by uid 500); 12 Nov 2012 17:23:15 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 57805 invoked by uid 500); 12 Nov 2012 17:23:15 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 57455 invoked by uid 99); 12 Nov 2012 17:23:13 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 12 Nov 2012 17:23:13 +0000 Date: Mon, 12 Nov 2012 17:23:13 +0000 (UTC) From: "Jan Lehnardt (JIRA)" To: dev@couchdb.apache.org Message-ID: <2071930260.101435.1352740993349.JavaMail.jiratomcat@arcas> Subject: [jira] [Commented] (COUCHDB-431) cors - aka Cross-Origin Resource Sharing support MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/COUCHDB-431?page=3Dcom.atlassia= n.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D134= 95434#comment-13495434 ]=20 Jan Lehnardt commented on COUCHDB-431: -------------------------------------- More commentary: it seems we have been ignoring the request clause 6.1.4 (http://www.w3.org/= TR/cors/#resource-requests) so far: > 4. If the list of exposed headers is not empty add one or more Access-Con= trol-Expose-Headers headers, with as values the header field names given in= the list of exposed headers. > Note: By not adding the appropriate headers resource can also clear the p= reflight result cache of all entries where origin is a case-sensitive match= for the value of the Origin header and url is a case-sensitive match for t= he URL of the resource. I have a patch for the branch that adds it, but it is not particular pretty= . I also might misunderstand the clause. https://friendpaste.com/2HRIirmB8t3XjtiYNgKlf Either way, it=E2=80=99d be good to get more eyeballs on this, thanks! =20 > cors - aka Cross-Origin Resource Sharing support > ------------------------------------------------- > > Key: COUCHDB-431 > URL: https://issues.apache.org/jira/browse/COUCHDB-431 > Project: CouchDB > Issue Type: New Feature > Components: HTTP Interface > Affects Versions: 0.9 > Reporter: James Burke > Assignee: Benoit Chesneau > Priority: Blocker > Fix For: 1.3 > > Attachments: 0001-cors-support.-should-fix-COUCHDB-431-2.patch, 0= 001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-f= ix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001= -cors-support.-should-fix-COUCHDB-431.patch, A_0001-Generalize-computing-th= e-appropriate-headers-for-any.patch, A_0002-Send-server-headers-for-externa= ls-responses.patch, A_0003-Usably-correct-w3c-CORS-headers-for-valid-reques= ts.patch, A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, check= _method_cors.patch, cors.html, cors_test.html, test_cors2-1.tgz, test_cors2= .tgz > > > Historically, browsers have been restricted to making XMLHttpRequests (XH= Rs) to the same origin (domain) as the web page making the request. However= , the latest browsers now support cross-domain requests by implementing the= Access Control spec from the W3C: > http://dev.w3.org/2006/waf/access-control/ > In order to keep older servers safe that assume browsers only do same-dom= ain requests, the Access Control spec requires the server to opt-in to allo= w cross domain requests by the use of special HTTP headers and supporting s= ome "pre-flight" HTTP calls. > Why should CouchDB support this: in larger, high traffic site, it is comm= on to serve the static UI files from a separate, differently scaled server = complex than the data access/API server layer. Also, there are some API ser= vices that are meant to be centrally hosted, but allow API consumers to use= the API from different domains. In these cases, the UI in the browser woul= d need to do cross domain requests to access CouchDB servers that act as th= e API/data access server layer. > JSONP is not enough in these cases since it is limited to GET requests, s= o no POSTing or PUTing of documents. > Some information from Firefox's perspective (functionality available as o= f Firefox 3.5): > https://developer.mozilla.org/en/HTTP_access_control > And information on Safari/Webkit (functionality in latest WebKit and Safa= ri 4): > http://developer.apple.com/safari/library/documentation/AppleApplications= /Conceptual/SafariJSProgTopics/Articles/XHR.html > IE 8 also uses the Access Control spec, but the requests have to go throu= gh their XDomainRequest object (XDR): > http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx > and I thought IE8 only allowed GET or POST requests through their XDR. > But as far as CouchDB is concerned, implementing the Access Control heade= rs should be enough, and hopefully IE 9 will allow normal xdomain requests = via XHR. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrato= rs For more information on JIRA, see: http://www.atlassian.com/software/jira