On Mon, Nov 28, 2011 at 11:38 AM, Benoit Chesneau <[email protected]> wrote: > Hi, > We had a great discussion today Jason, Randall and me about the CORS > feature [1] . > I'm positing here the current result that you can find on friendpaste > [2] too. I think it's > a pretty good start and we can begin to code it. Implementation is > mostly a merge > between jason proposal and mine imo. Thoughts ? > > - benoît > > [1] https://issues.apache.org/jira/browse/COUCHDB-431 > [2] http://friendpaste.com/4q1zeNUEtPFS7XbioPYYzM > > guidelinees : > ------------------ > > - rules shoudl be based on host . > - rules depending on the resource : > - server : rules defined in .ini > - db : rules defined in .db > > - default cors policy : > - allows credential = false > - cors enabled > - cors can be disabled globaly > > > > rules definiton : > > global wide > > [httpd] > cors_enabled = true > > [origins] > domain.tld = http://origin.tld, https://origin.tld > > [http://origin.tld] > allow_methods = GET, POST > allow_headers = x-couchdb-... > allow_credentials = false > > > [https://origin.tld] > allow_methods = GET, PUT, POST, DELETE > allow_headers = x-couchdb-... > allow_credentials = true > allow_server_admins = true > max-age = 36000 > > > ond db _security object : > > > { > "origins": { > "domain.tld": [ > {"http://origin.tld": { "allow_methods": "GET, POST", > ...} > ] > } > } > > > > work flow : > > is origins list empty in ini > yes -> is admin party set ? > yes -> return "*" , credentials false (with a good caching policy) > no -> stop > no -> > is origin in .ini ? > yes -> > is origin in list ? > yes -> > set the cors headers based on .ini > then are we on a db resource ? > yes -> > apply the intersection of .ini with db resource > no -> stop > no -> >
quick not about hosts. It should be abble to set '*' to manage origins for any hosts. - benoît
