Sorry for bringing up an old thread but since the question was asked I thought someone might find this CORS middleware module I worked on useful.
https://github.com/adrian/swift/tree/cors What it does is examine each request, decide if it's cross origin or not and then deal with it appropriately (i.e. is it a pre-flight request or an actual request). In theory (and outside a browser) it works but the problem (and why I've parked any further work on it for now) is that none of the browsers out there today fully support the CORS specification. They can deal with simple requests but when the server returns non-standard headers (such as X-Auth-Token and X-Storage-Service) the browser hides them from the client Javascript. The browser should whitelist all headers listed in Access-Control-Expose-Headers and pass them on to the Javascript. Unfortunately this isn't happening. I've tested the latest versions of Chrome, Firefox and IE. There has been some reference to this problem on various projects so for now I'm tracking their progress. http://code.google.com/p/chromium/issues/detail?id=87338 https://bugzilla.mozilla.org/show_bug.cgi?id=608735 https://bugs.webkit.org/show_bug.cgi?id=41210 When I last tested (1-Feb) Access-Control-Expose-Headers was still being ignored. I'm not holding this code out as being complete or working. I just thought it was worth sharing where I got to and what my findings were. Adrian -----Original Message----- From: openstack-bounces+adrian_f_smith=dell....@lists.launchpad.net [mailto:openstack-bounces+adrian_f_smith=dell....@lists.launchpad.net] On Behalf Of Brian Waldon Sent: Sunday, January 08, 2012 11:11 PM To: Paul Querna Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cross-Origin Resource Sharing & OpenStack APIs Thanks for bringing this to our attention, Paul. It is extremely important to design our APIs to be as consumable as possible. I am personally more involved in Nova and Glance, but I would still love to try to fit these headers into each of their APIs. We are in the process of drafting new API specs for both right now (Glance v2 might actually be finalized), but I will work with you to see what we can do. Thanks! Brian Waldon On Jan 6, 2012, at 3:26 PM, Paul Querna wrote: > Hello, > > I was wondering what people think about adding Cross-Origin Resource > Sharing Headers to all OpenStack APIs by default. > > Essentially, this would allow people to make pure frontend javascript > clients, which would could be hosted on domains different than the > API: > http://www.w3.org/TR/cors/ > > More examples of how to use this are here: > https://developer.mozilla.org/En/HTTP_access_control > > This boils down to a few changes in OpenStack implementations, mostly > it is when an OPTIONS request is sent to the APIs, respond with a 200, > and send something like following headers: > > Access-Control-Allow-Origin: * > Access-Control-Allow-Methods: GET, OPTIONS,POST,PUT,DELETE > Access-Control-Allow-Headers: X-Auth-Token > Access-Control-Max-Age: 1728000 > > This would especially be helpful when working against Keystone, as it > would let you make applications where the user is prompted for their > username & password, and then their token is fetched purely from > client side javascript. > > The only concern of course is potential security implications. > However, I've not been able to think of a viable threat model for any > OpenStack APIs at this time. > > Thoughts? > > Thanks, > > Paul > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp