Brooks Boyd created COUCHDB-2763:
------------------------------------
Summary: CORS Authentication issues
Key: COUCHDB-2763
URL: https://issues.apache.org/jira/browse/COUCHDB-2763
Project: CouchDB
Issue Type: Bug
Security Level: public (Regular issues)
Components: HTTP Interface
Reporter: Brooks Boyd
With a CouchDB server running 1.5.0 (Iriscouch instance), and a database that
is set to have one user as administrator and member (so no unauthenticated
requests can view content of the database), I've run into an issue with
cross-site requests:
CORS request to POST endpoints get "preflighted" by making an OPTIONS request
first. However, the preflight request has most headers stripped out, including
authentication headers. So, when trying to access the POST _changes endpoint
(http://docs.couchdb.org/en/latest/api/database/changes.html#post--db-_changes),
if I create the XHR request with no authorization
("Access-Control-Request-Headers" header does not include "authorization"), the
OPTIONS query works, but then the POST returns a 401, which seems correct.
However, if I create the XHR request with authorization
("Access-Control-Request-Headers" includes "authorization", but no
Authorization header is in the OPTIONS request as a preflight request, nor any
cookies that might be bearing a session authentication key), the OPTIONS call
itself returns a 401 error, which aborts the call.
Having the OPTIONS call return a 401 like that kills all the cross-origin
requests that need authorization, it seems?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
