This has been brought up a few times but I think it's about time we come up with a real plan to solve it.
CouchDB currently can't add access control headers for cross site HTTP requests from the browser for anything other than show and list. That means all the regular API calls as well as attachments can't be served with these headers. The latest issue I bumped in to was that Firefox implements these restrictions for fetching fonts defined with @font-face, annoying! http://www.w3.org/TR/cors/ https://developer.mozilla.org/En/HTTP_Access_Control Some of the earlier discussion was centered around adding any arbitrary headers to some user defined set of requests. I don't have a solid use case in my head for headers other than Access Control nor do I think that any other headers that could be added would have the same security implications so I'd like to come up with a plan that is actually targeted at cross site requests from the browser rather than some other generic feature for header addition. The suggestion that jchris had was that what we should probably do is allow you to set in the config a database(s) that has these headers added to every request with that db prefix. These are the most common headers we need to worry about. Access-Control-Allow-Origin: http://foo.example Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-PINGOTHER Access-Control-Allow-Credentials: true I think the first 3 should be user configurable and, unless we have a good objection, we always add "Access-Control-Allow-Credentials: true". Thoughts? -Mikeal
