Return-Path: 
 <dev-return-24069-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-dev-archive@www.apache.org
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 01D94D258
	for <apmail-couchdb-dev-archive@www.apache.org>;
 Mon, 12 Nov 2012 18:03:13 +0000 (UTC)
Received: (qmail 63727 invoked by uid 500); 12 Nov 2012 18:03:12 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 63643 invoked by uid 500); 12 Nov 2012 18:03:12 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 63634 invoked by uid 99); 12 Nov 2012 18:03:12 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 12 Nov 2012 18:03:12 +0000
Date: Mon, 12 Nov 2012 18:03:12 +0000 (UTC)
From: "Jan Lehnardt (JIRA)" <jira@apache.org>
To: dev@couchdb.apache.org
Message-ID: <1405485425.101562.1352743392386.JavaMail.jiratomcat@arcas>
Subject: [jira] [Commented] (COUCHDB-431) cors - aka Cross-Origin Resource
 Sharing  support
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/COUCHDB-431?page=3Dcom.atlassia=
n.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D134=
95457#comment-13495457 ]=20

Jan Lehnardt commented on COUCHDB-431:
--------------------------------------

And one more note from the spec:

http://www.w3.org/TR/cors/#resource-security:

> =16In addition to checking the Origin header, resource authors are strong=
ly encouraged to also check the Host header. That is, make sure that the ho=
st name provided by that header matches the host name of the server on whic=
h the resource resides. This will provide protection against DNS rebinding =
attacks.

Does this apply to us?

               =20
> cors - aka Cross-Origin Resource Sharing  support
> -------------------------------------------------
>
>                 Key: COUCHDB-431
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-431
>             Project: CouchDB
>          Issue Type: New Feature
>          Components: HTTP Interface
>    Affects Versions: 0.9
>            Reporter: James Burke
>            Assignee: Benoit Chesneau
>            Priority: Blocker
>             Fix For: 1.3
>
>         Attachments: 0001-cors-support.-should-fix-COUCHDB-431-2.patch, 0=
001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-f=
ix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001=
-cors-support.-should-fix-COUCHDB-431.patch, A_0001-Generalize-computing-th=
e-appropriate-headers-for-any.patch, A_0002-Send-server-headers-for-externa=
ls-responses.patch, A_0003-Usably-correct-w3c-CORS-headers-for-valid-reques=
ts.patch, A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, check=
_method_cors.patch, cors.html, cors_test.html, test_cors2-1.tgz, test_cors2=
.tgz
>
>
> Historically, browsers have been restricted to making XMLHttpRequests (XH=
Rs) to the same origin (domain) as the web page making the request. However=
, the latest browsers now support cross-domain requests by implementing the=
 Access Control spec from the W3C:
> http://dev.w3.org/2006/waf/access-control/
> In order to keep older servers safe that assume browsers only do same-dom=
ain requests, the Access Control spec requires the server to opt-in to allo=
w cross domain requests by the use of special HTTP headers and supporting s=
ome "pre-flight" HTTP calls.
> Why should CouchDB support this: in larger, high traffic site, it is comm=
on to serve the static UI files from a separate, differently scaled server =
complex than the data access/API server layer. Also, there are some API ser=
vices that are meant to be centrally hosted, but allow API consumers to use=
 the API from different domains. In these cases, the UI in the browser woul=
d need to do cross domain requests to access CouchDB servers that act as th=
e API/data access server layer.
> JSONP is not enough in these cases since it is limited to GET requests, s=
o no POSTing or PUTing of documents.
> Some information from Firefox's perspective (functionality available as o=
f Firefox 3.5):
> https://developer.mozilla.org/en/HTTP_access_control
> And information on Safari/Webkit (functionality in latest WebKit and Safa=
ri 4):
> http://developer.apple.com/safari/library/documentation/AppleApplications=
/Conceptual/SafariJSProgTopics/Articles/XHR.html
> IE 8 also uses the Access Control spec, but the requests have to go throu=
gh their XDomainRequest object (XDR):
> http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx
> and I thought IE8 only allowed GET or POST requests through their XDR.
> But as far as CouchDB is concerned, implementing the Access Control heade=
rs should be enough, and hopefully IE 9 will allow normal xdomain requests =
via XHR.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrato=
rs
For more information on JIRA, see: http://www.atlassian.com/software/jira