Hi, We had a great discussion today Jason, Randall and me about the CORS feature [1] . I'm positing here the current result that you can find on friendpaste [2] too. I think it's a pretty good start and we can begin to code it. Implementation is mostly a merge between jason proposal and mine imo. Thoughts ?
- benoƮt [1] https://issues.apache.org/jira/browse/COUCHDB-431 [2] http://friendpaste.com/4q1zeNUEtPFS7XbioPYYzM guidelinees : ------------------ - rules shoudl be based on host . - rules depending on the resource : - server : rules defined in .ini - db : rules defined in .db - default cors policy : - allows credential = false - cors enabled - cors can be disabled globaly rules definiton : global wide [httpd] cors_enabled = true [origins] domain.tld = http://origin.tld, https://origin.tld [http://origin.tld] allow_methods = GET, POST allow_headers = x-couchdb-... allow_credentials = false [https://origin.tld] allow_methods = GET, PUT, POST, DELETE allow_headers = x-couchdb-... allow_credentials = true allow_server_admins = true max-age = 36000 ond db _security object : { "origins": { "domain.tld": [ {"http://origin.tld": { "allow_methods": "GET, POST", ...} ] } } work flow : is origins list empty in ini yes -> is admin party set ? yes -> return "*" , credentials false (with a good caching policy) no -> stop no -> is origin in .ini ? yes -> is origin in list ? yes -> set the cors headers based on .ini then are we on a db resource ? yes -> apply the intersection of .ini with db resource no -> stop no ->
