[
https://issues.apache.org/jira/browse/QPID-7300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15384308#comment-15384308
]
Lorenz Quack commented on QPID-7300:
------------------------------------
Hi Alex,
thanks for the review.
1. If we expose the header to the user then I am not in favour of modifying the
choice the user made behind the scenes. If the user misconfigures the broker it
won't work. But maybe it is not a mistake, maybe it is a test case. Who knows.
2.
3. The first reason for that default is that it is the default of the jetty
CORS filter implementation. Second, when I was reading about the
X-Requested-With header my understanding was that many popular JavaScript
libraries (e.g., jquery) add this header when making a AJAX request. My
understanding is that this could be used on the server side to guard against
CSRF attacks. We currently do not do this but I did not want to discourage the
usage of this header.
4. I'm ok with adding it to the default but as with 1. I'm against "always"
adding things.
5. At least with corsAllowMethods I think there is a use case to expose this. A
broker admin might want to allow a limited read only WMC and thus allow GET but
nothing else. In principle my impression of Qpid for Java was that we expose
virtually all configuration to the user to give them as much control and power
as possible. Of course that also gives them the opportunity to screw up.
> [Java Broker] The REST API should support Cross Origin Resource Sharing (CORS)
> ------------------------------------------------------------------------------
>
> Key: QPID-7300
> URL: https://issues.apache.org/jira/browse/QPID-7300
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Reporter: Lorenz Quack
> Assignee: Lorenz Quack
> Fix For: qpid-java-6.1
>
>
> Currently the broker has an embedded Web Management Console to manage the
> broker using the REST API.
> However, it is not possible to have externally hosted web management consoles
> due to the same origin policy enforced by the browser.
> The Broker should support [Cross Origin Resource Sharing
> (CORS)|https://www.w3.org/TR/cors/] to allow the broker to be managed through
> externally hosted web management consoles.
> The parameters of CORS should be configurable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
