Hello, I was wondering what people think about adding Cross-Origin Resource Sharing Headers to all OpenStack APIs by default.
Essentially, this would allow people to make pure frontend javascript clients, which would could be hosted on domains different than the API: http://www.w3.org/TR/cors/ More examples of how to use this are here: https://developer.mozilla.org/En/HTTP_access_control This boils down to a few changes in OpenStack implementations, mostly it is when an OPTIONS request is sent to the APIs, respond with a 200, and send something like following headers: Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, OPTIONS,POST,PUT,DELETE Access-Control-Allow-Headers: X-Auth-Token Access-Control-Max-Age: 1728000 This would especially be helpful when working against Keystone, as it would let you make applications where the user is prompted for their username & password, and then their token is fetched purely from client side javascript. The only concern of course is potential security implications. However, I've not been able to think of a viable threat model for any OpenStack APIs at this time. Thoughts? Thanks, Paul _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
