Randall, Benoit, others: See http://friendpaste.com/4q1zeNUEtPFS7XbioPYYzM
The spec says to use the global config for non-DB resources, or if a database has no _security object. Some questions: 1. What if there is a _security object but nothing about CORS? For example, I use Futon to add a DB admin. 2. What if there is a _security config *and* a global config? 2a. Do allowed methods accumulate? E.g. _security says allow_methods "GET, POST" and the config says allow_methods "GET, PUT". Is it (i) "GET, POST", (ii) "GET, PUT, POST", or (iii), "GET, PUT"? 2b. What about max_age? Does the _security value win? The global value win? Or does the greater or lesser value win? 3. If CORS is working for a db, but the global config has httpd/cors_enabled=false, what is the response for that database? -- Iris Couch
