[
https://issues.apache.org/jira/browse/DRILL-4690?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15300306#comment-15300306
]
ASF GitHub Bot commented on DRILL-4690:
---------------------------------------
Github user laurentgo commented on a diff in the pull request:
https://github.com/apache/drill/pull/507#discussion_r64603060
--- Diff:
exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
---
@@ -159,6 +163,14 @@ public void start() throws Exception {
servletContextHandler.setSessionHandler(createSessionHandler(servletContextHandler.getSecurityHandler()));
}
+ if (config.getBoolean(ExecConstants.HTTP_ENABLE_CORS)) {
+ FilterHolder cors =
servletContextHandler.addFilter(CrossOriginFilter.class, "/*",
EnumSet.of(DispatcherType.REQUEST));
+ cors.setInitParameter(CrossOriginFilter.ALLOWED_ORIGINS_PARAM, "*");
--- End diff --
Not so much experience regarding CORS, but should we expect admins to need
to restrict this to a specific set of origins? I believe so, but I hope people
more experienced regarding web security to comment on that. My take is that we
should probably make it configurable too. Default to * is probably although not
as restrictive as the same-origin policy used when filter is disabled.
> Header in RestApi CORS support
> -------------------------------
>
> Key: DRILL-4690
> URL: https://issues.apache.org/jira/browse/DRILL-4690
> Project: Apache Drill
> Issue Type: Improvement
> Reporter: Wojciech Nowak
> Priority: Minor
>
> Damien Cantreras raised question on mailing list, related to Drill RestAPI
> support for Header "Access-Control-Allow-Origin: *"
> to allow it being used from a HTML5 application.
> Place where Header should be added
> https://github.com/apache/drill/blob/master/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
