[jira] [Updated] (COUCHDB-431) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
[ https://issues.apache.org/jira/browse/COUCHDB-431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Newson updated COUCHDB-431: -- Priority: Blocker (was: Minor) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec --- Key: COUCHDB-431 URL: https://issues.apache.org/jira/browse/COUCHDB-431 Project: CouchDB Issue Type: New Feature Components: HTTP Interface Affects Versions: 0.9 Reporter: James Burke Assignee: Benoit Chesneau Priority: Blocker Fix For: 1.3 Attachments: 0001-cors-support.-should-fix-COUCHDB-431-2.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, A_0001-Generalize-computing-the-appropriate-headers-for-any.patch, A_0002-Send-server-headers-for-externals-responses.patch, A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch, A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, cors.html, cors_test.html, test_cors2-1.tgz, test_cors2.tgz Historically, browsers have been restricted to making XMLHttpRequests (XHRs) to the same origin (domain) as the web page making the request. However, the latest browsers now support cross-domain requests by implementing the Access Control spec from the W3C: http://dev.w3.org/2006/waf/access-control/ In order to keep older servers safe that assume browsers only do same-domain requests, the Access Control spec requires the server to opt-in to allow cross domain requests by the use of special HTTP headers and supporting some pre-flight HTTP calls. Why should CouchDB support this: in larger, high traffic site, it is common to serve the static UI files from a separate, differently scaled server complex than the data access/API server layer. Also, there are some API services that are meant to be centrally hosted, but allow API consumers to use the API from different domains. In these cases, the UI in the browser would need to do cross domain requests to access CouchDB servers that act as the API/data access server layer. JSONP is not enough in these cases since it is limited to GET requests, so no POSTing or PUTing of documents. Some information from Firefox's perspective (functionality available as of Firefox 3.5): https://developer.mozilla.org/en/HTTP_access_control And information on Safari/Webkit (functionality in latest WebKit and Safari 4): http://developer.apple.com/safari/library/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html IE 8 also uses the Access Control spec, but the requests have to go through their XDomainRequest object (XDR): http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx and I thought IE8 only allowed GET or POST requests through their XDR. But as far as CouchDB is concerned, implementing the Access Control headers should be enough, and hopefully IE 9 will allow normal xdomain requests via XHR. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (COUCHDB-431) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
[ https://issues.apache.org/jira/browse/COUCHDB-431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jan Lehnardt updated COUCHDB-431: - Fix Version/s: (was: 1.2) 1.3 Bump to 1.3.x. Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec --- Key: COUCHDB-431 URL: https://issues.apache.org/jira/browse/COUCHDB-431 Project: CouchDB Issue Type: New Feature Components: HTTP Interface Affects Versions: 0.9 Reporter: James Burke Assignee: Benoit Chesneau Priority: Minor Fix For: 1.3 Attachments: 0001-cors-support.-should-fix-COUCHDB-431-2.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, A_0001-Generalize-computing-the-appropriate-headers-for-any.patch, A_0002-Send-server-headers-for-externals-responses.patch, A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch, A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, cors.html, cors_test.html, test_cors2-1.tgz, test_cors2.tgz Historically, browsers have been restricted to making XMLHttpRequests (XHRs) to the same origin (domain) as the web page making the request. However, the latest browsers now support cross-domain requests by implementing the Access Control spec from the W3C: http://dev.w3.org/2006/waf/access-control/ In order to keep older servers safe that assume browsers only do same-domain requests, the Access Control spec requires the server to opt-in to allow cross domain requests by the use of special HTTP headers and supporting some pre-flight HTTP calls. Why should CouchDB support this: in larger, high traffic site, it is common to serve the static UI files from a separate, differently scaled server complex than the data access/API server layer. Also, there are some API services that are meant to be centrally hosted, but allow API consumers to use the API from different domains. In these cases, the UI in the browser would need to do cross domain requests to access CouchDB servers that act as the API/data access server layer. JSONP is not enough in these cases since it is limited to GET requests, so no POSTing or PUTing of documents. Some information from Firefox's perspective (functionality available as of Firefox 3.5): https://developer.mozilla.org/en/HTTP_access_control And information on Safari/Webkit (functionality in latest WebKit and Safari 4): http://developer.apple.com/safari/library/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html IE 8 also uses the Access Control spec, but the requests have to go through their XDomainRequest object (XDR): http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx and I thought IE8 only allowed GET or POST requests through their XDR. But as far as CouchDB is concerned, implementing the Access Control headers should be enough, and hopefully IE 9 will allow normal xdomain requests via XHR. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (COUCHDB-431) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
[ https://issues.apache.org/jira/browse/COUCHDB-431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Chaffee updated COUCHDB-431: - Comment: was deleted (was: CORS isn't about security. It means Cross-Origin Resource Sharing . We shouldn't forget that. True! As I said back in May[1]. Admittedly this is a nuanced distinction, but if you think it's about security, then you misunderstand either what CORS is or what security means. [1] it's not hard security, just a message from the server that tells the client here's the data, and here's a hint about how I think you should use it (which hint is ignored by everybody except web browsers). - comment 13041182 I haven't looked at the patch code yet but if you do a whitelist please make sure it is disableable, or at least that it supports all variations of localhost (127.0.0.1, 0.0.0.0, file:///...) since I'd like to use CouchDB as a store for a Chrome browser plugin (with couch and browser running on the same machine). ) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec --- Key: COUCHDB-431 URL: https://issues.apache.org/jira/browse/COUCHDB-431 Project: CouchDB Issue Type: New Feature Components: HTTP Interface Affects Versions: 0.9 Reporter: James Burke Assignee: Benoit Chesneau Priority: Minor Fix For: 1.2 Attachments: 0001-cors-support.-should-fix-COUCHDB-431-2.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, A_0001-Generalize-computing-the-appropriate-headers-for-any.patch, A_0002-Send-server-headers-for-externals-responses.patch, A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch, A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, cors.html, cors_test.html, test_cors2-1.tgz, test_cors2.tgz Historically, browsers have been restricted to making XMLHttpRequests (XHRs) to the same origin (domain) as the web page making the request. However, the latest browsers now support cross-domain requests by implementing the Access Control spec from the W3C: http://dev.w3.org/2006/waf/access-control/ In order to keep older servers safe that assume browsers only do same-domain requests, the Access Control spec requires the server to opt-in to allow cross domain requests by the use of special HTTP headers and supporting some pre-flight HTTP calls. Why should CouchDB support this: in larger, high traffic site, it is common to serve the static UI files from a separate, differently scaled server complex than the data access/API server layer. Also, there are some API services that are meant to be centrally hosted, but allow API consumers to use the API from different domains. In these cases, the UI in the browser would need to do cross domain requests to access CouchDB servers that act as the API/data access server layer. JSONP is not enough in these cases since it is limited to GET requests, so no POSTing or PUTing of documents. Some information from Firefox's perspective (functionality available as of Firefox 3.5): https://developer.mozilla.org/en/HTTP_access_control And information on Safari/Webkit (functionality in latest WebKit and Safari 4): http://developer.apple.com/safari/library/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html IE 8 also uses the Access Control spec, but the requests have to go through their XDomainRequest object (XDR): http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx and I thought IE8 only allowed GET or POST requests through their XDR. But as far as CouchDB is concerned, implementing the Access Control headers should be enough, and hopefully IE 9 will allow normal xdomain requests via XHR. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (COUCHDB-431) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
[ https://issues.apache.org/jira/browse/COUCHDB-431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoit Chesneau updated COUCHDB-431: Attachment: 0001-cors-support.-should-fix-COUCHDB-431.patch new version of the patch. - Remove headers added accidentally - Join headers iin a macro as one list instead of separating them in 2 variables (Simple Couch). List is commented to still distinct these headers. - Add the possibility to customize custom headers if needed via settings. - document module. - prepare commit message @adam any reason to change the origin member in the secobj? ok? Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec --- Key: COUCHDB-431 URL: https://issues.apache.org/jira/browse/COUCHDB-431 Project: CouchDB Issue Type: New Feature Components: HTTP Interface Affects Versions: 0.9 Reporter: James Burke Assignee: Benoit Chesneau Priority: Minor Fix For: 1.2 Attachments: 0001-cors-support.-should-fix-COUCHDB-431-2.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, A_0001-Generalize-computing-the-appropriate-headers-for-any.patch, A_0002-Send-server-headers-for-externals-responses.patch, A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch, A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, cors.html, test_cors2-1.tgz, test_cors2.tgz Historically, browsers have been restricted to making XMLHttpRequests (XHRs) to the same origin (domain) as the web page making the request. However, the latest browsers now support cross-domain requests by implementing the Access Control spec from the W3C: http://dev.w3.org/2006/waf/access-control/ In order to keep older servers safe that assume browsers only do same-domain requests, the Access Control spec requires the server to opt-in to allow cross domain requests by the use of special HTTP headers and supporting some pre-flight HTTP calls. Why should CouchDB support this: in larger, high traffic site, it is common to serve the static UI files from a separate, differently scaled server complex than the data access/API server layer. Also, there are some API services that are meant to be centrally hosted, but allow API consumers to use the API from different domains. In these cases, the UI in the browser would need to do cross domain requests to access CouchDB servers that act as the API/data access server layer. JSONP is not enough in these cases since it is limited to GET requests, so no POSTing or PUTing of documents. Some information from Firefox's perspective (functionality available as of Firefox 3.5): https://developer.mozilla.org/en/HTTP_access_control And information on Safari/Webkit (functionality in latest WebKit and Safari 4): http://developer.apple.com/safari/library/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html IE 8 also uses the Access Control spec, but the requests have to go through their XDomainRequest object (XDR): http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx and I thought IE8 only allowed GET or POST requests through their XDR. But as far as CouchDB is concerned, implementing the Access Control headers should be enough, and hopefully IE 9 will allow normal xdomain requests via XHR. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (COUCHDB-431) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
[ https://issues.apache.org/jira/browse/COUCHDB-431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jason Smith updated COUCHDB-431: Attachment: cors_test.html Example page demonstrating how to exploit CORS to gain privileged access to a couch. Instructions: 1. Log in to couch A, e.g. http://localhost:5984/_utils 2. Load this file in your browser from a different origin, e.g. http://jhs.iriscouch.com/files/cors/index.html 3. Enter Couch A's URL in the form and press Go The simulated malicious page can query your couch with your full rights and privileges. If it notices that you are the admin, it creates a database and then a design doc that rejects all commits. This demonstrates that, as-is, this patch makes CouchDB vulnerable to any third-party site. The third-party site can query CouchDB freely, using the authenticated identity of the visitor to the site. I will try to convert this to proper unit tests and build a subsequent patch which avoids this bug. Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec --- Key: COUCHDB-431 URL: https://issues.apache.org/jira/browse/COUCHDB-431 Project: CouchDB Issue Type: New Feature Components: HTTP Interface Affects Versions: 0.9 Reporter: James Burke Assignee: Benoit Chesneau Priority: Minor Fix For: 1.2 Attachments: 0001-cors-support.-should-fix-COUCHDB-431-2.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, A_0001-Generalize-computing-the-appropriate-headers-for-any.patch, A_0002-Send-server-headers-for-externals-responses.patch, A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch, A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, cors.html, cors_test.html, test_cors2-1.tgz, test_cors2.tgz Historically, browsers have been restricted to making XMLHttpRequests (XHRs) to the same origin (domain) as the web page making the request. However, the latest browsers now support cross-domain requests by implementing the Access Control spec from the W3C: http://dev.w3.org/2006/waf/access-control/ In order to keep older servers safe that assume browsers only do same-domain requests, the Access Control spec requires the server to opt-in to allow cross domain requests by the use of special HTTP headers and supporting some pre-flight HTTP calls. Why should CouchDB support this: in larger, high traffic site, it is common to serve the static UI files from a separate, differently scaled server complex than the data access/API server layer. Also, there are some API services that are meant to be centrally hosted, but allow API consumers to use the API from different domains. In these cases, the UI in the browser would need to do cross domain requests to access CouchDB servers that act as the API/data access server layer. JSONP is not enough in these cases since it is limited to GET requests, so no POSTing or PUTing of documents. Some information from Firefox's perspective (functionality available as of Firefox 3.5): https://developer.mozilla.org/en/HTTP_access_control And information on Safari/Webkit (functionality in latest WebKit and Safari 4): http://developer.apple.com/safari/library/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html IE 8 also uses the Access Control spec, but the requests have to go through their XDomainRequest object (XDR): http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx and I thought IE8 only allowed GET or POST requests through their XDR. But as far as CouchDB is concerned, implementing the Access Control headers should be enough, and hopefully IE 9 will allow normal xdomain requests via XHR. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (COUCHDB-431) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
[ https://issues.apache.org/jira/browse/COUCHDB-431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoit Chesneau updated COUCHDB-431: Comment: was deleted (was: This is just expected behavior when you reuest credentials. You can block this exploit by setting the origins you want to accept in the db security object. I'm not sure this is really an issue here. web is based on trust by nature. Anyway we can make however is : - making cors optionnal via a setting - block by default credentials on /db/* except if origins on a db is set. Have a setting that would allows people to bypass this setting I will proposea patch that does that in coming hours. Would it solve your expectations? ) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec --- Key: COUCHDB-431 URL: https://issues.apache.org/jira/browse/COUCHDB-431 Project: CouchDB Issue Type: New Feature Components: HTTP Interface Affects Versions: 0.9 Reporter: James Burke Assignee: Benoit Chesneau Priority: Minor Fix For: 1.2 Attachments: 0001-cors-support.-should-fix-COUCHDB-431-2.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, A_0001-Generalize-computing-the-appropriate-headers-for-any.patch, A_0002-Send-server-headers-for-externals-responses.patch, A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch, A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, cors.html, cors_test.html, test_cors2-1.tgz, test_cors2.tgz Historically, browsers have been restricted to making XMLHttpRequests (XHRs) to the same origin (domain) as the web page making the request. However, the latest browsers now support cross-domain requests by implementing the Access Control spec from the W3C: http://dev.w3.org/2006/waf/access-control/ In order to keep older servers safe that assume browsers only do same-domain requests, the Access Control spec requires the server to opt-in to allow cross domain requests by the use of special HTTP headers and supporting some pre-flight HTTP calls. Why should CouchDB support this: in larger, high traffic site, it is common to serve the static UI files from a separate, differently scaled server complex than the data access/API server layer. Also, there are some API services that are meant to be centrally hosted, but allow API consumers to use the API from different domains. In these cases, the UI in the browser would need to do cross domain requests to access CouchDB servers that act as the API/data access server layer. JSONP is not enough in these cases since it is limited to GET requests, so no POSTing or PUTing of documents. Some information from Firefox's perspective (functionality available as of Firefox 3.5): https://developer.mozilla.org/en/HTTP_access_control And information on Safari/Webkit (functionality in latest WebKit and Safari 4): http://developer.apple.com/safari/library/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html IE 8 also uses the Access Control spec, but the requests have to go through their XDomainRequest object (XDR): http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx and I thought IE8 only allowed GET or POST requests through their XDR. But as far as CouchDB is concerned, implementing the Access Control headers should be enough, and hopefully IE 9 will allow normal xdomain requests via XHR. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (COUCHDB-431) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
[ https://issues.apache.org/jira/browse/COUCHDB-431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoit Chesneau updated COUCHDB-431: Attachment: 0001-cors-support.-should-fix-COUCHDB-431.patch improved patch wich take in considerations randall's comments: - cors specific functions have been moved to couch_httpd_cors module. couch_httpd is already enough big. - check_origin1 and check_origin functions have been merged in 1 function. The origin is also splitted only once time. - fix typos - remove the set_preflight_headers function Tested on safari, chrome firefox. ok ? Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec --- Key: COUCHDB-431 URL: https://issues.apache.org/jira/browse/COUCHDB-431 Project: CouchDB Issue Type: New Feature Components: HTTP Interface Affects Versions: 0.9 Reporter: James Burke Assignee: Benoit Chesneau Priority: Minor Fix For: 1.2 Attachments: 0001-cors-support.-should-fix-COUCHDB-431-2.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, A_0001-Generalize-computing-the-appropriate-headers-for-any.patch, A_0002-Send-server-headers-for-externals-responses.patch, A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch, A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, cors.html, test_cors2-1.tgz, test_cors2.tgz Historically, browsers have been restricted to making XMLHttpRequests (XHRs) to the same origin (domain) as the web page making the request. However, the latest browsers now support cross-domain requests by implementing the Access Control spec from the W3C: http://dev.w3.org/2006/waf/access-control/ In order to keep older servers safe that assume browsers only do same-domain requests, the Access Control spec requires the server to opt-in to allow cross domain requests by the use of special HTTP headers and supporting some pre-flight HTTP calls. Why should CouchDB support this: in larger, high traffic site, it is common to serve the static UI files from a separate, differently scaled server complex than the data access/API server layer. Also, there are some API services that are meant to be centrally hosted, but allow API consumers to use the API from different domains. In these cases, the UI in the browser would need to do cross domain requests to access CouchDB servers that act as the API/data access server layer. JSONP is not enough in these cases since it is limited to GET requests, so no POSTing or PUTing of documents. Some information from Firefox's perspective (functionality available as of Firefox 3.5): https://developer.mozilla.org/en/HTTP_access_control And information on Safari/Webkit (functionality in latest WebKit and Safari 4): http://developer.apple.com/safari/library/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html IE 8 also uses the Access Control spec, but the requests have to go through their XDomainRequest object (XDR): http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx and I thought IE8 only allowed GET or POST requests through their XDR. But as far as CouchDB is concerned, implementing the Access Control headers should be enough, and hopefully IE 9 will allow normal xdomain requests via XHR. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (COUCHDB-431) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
[ https://issues.apache.org/jira/browse/COUCHDB-431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoit Chesneau updated COUCHDB-431: Attachment: test_cors2-1.tgz 0001-cors-support.-should-fix-COUCHDB-431-2.patch updated version of the patch to support couchdb authentication. Tests have been updated as well. Also attached is a new version of the javascript demo test_cors2-1.tgz . To test authentication, set a couchdb admin admin/test and open cors2.html in your browser. Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec --- Key: COUCHDB-431 URL: https://issues.apache.org/jira/browse/COUCHDB-431 Project: CouchDB Issue Type: New Feature Components: HTTP Interface Affects Versions: 0.9 Reporter: James Burke Assignee: Benoit Chesneau Priority: Minor Fix For: 1.2 Attachments: 0001-cors-support.-should-fix-COUCHDB-431-2.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, A_0001-Generalize-computing-the-appropriate-headers-for-any.patch, A_0002-Send-server-headers-for-externals-responses.patch, A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch, A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, cors.html, test_cors2-1.tgz, test_cors2.tgz Historically, browsers have been restricted to making XMLHttpRequests (XHRs) to the same origin (domain) as the web page making the request. However, the latest browsers now support cross-domain requests by implementing the Access Control spec from the W3C: http://dev.w3.org/2006/waf/access-control/ In order to keep older servers safe that assume browsers only do same-domain requests, the Access Control spec requires the server to opt-in to allow cross domain requests by the use of special HTTP headers and supporting some pre-flight HTTP calls. Why should CouchDB support this: in larger, high traffic site, it is common to serve the static UI files from a separate, differently scaled server complex than the data access/API server layer. Also, there are some API services that are meant to be centrally hosted, but allow API consumers to use the API from different domains. In these cases, the UI in the browser would need to do cross domain requests to access CouchDB servers that act as the API/data access server layer. JSONP is not enough in these cases since it is limited to GET requests, so no POSTing or PUTing of documents. Some information from Firefox's perspective (functionality available as of Firefox 3.5): https://developer.mozilla.org/en/HTTP_access_control And information on Safari/Webkit (functionality in latest WebKit and Safari 4): http://developer.apple.com/safari/library/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html IE 8 also uses the Access Control spec, but the requests have to go through their XDomainRequest object (XDR): http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx and I thought IE8 only allowed GET or POST requests through their XDR. But as far as CouchDB is concerned, implementing the Access Control headers should be enough, and hopefully IE 9 will allow normal xdomain requests via XHR. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (COUCHDB-431) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
[
https://issues.apache.org/jira/browse/COUCHDB-431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoit Chesneau updated COUCHDB-431:
Attachment: test_cors2.tgz
0001-cors-support.-should-fix-COUCHDB-431.patch
This patch add support for CORS based on http://www.w3.org/TR/cors/ spec +
tests.
This ia a different implentation from the one proposed by Jason . It uses the
process registry to pass custom headers so we can manage authentication easily.
Supported :
- simple preflight requests.
- possibility to forbid access per db by settings origins in secob. (see the
erlang tests) :
{
...
origins: [http://someorigin;]
}
- CORS headers are only available if origin header is present in the request
(like the spec say).
test_cors2.tgz is also attached to test it. To use it untar the file, push the
couchapp using couchapp or erica to a database named couch then open cors.html
file under another server or from the file system.
Support cross domain XMLHttpRequest (XHR) calls by implementing Access
Control spec
---
Key: COUCHDB-431
URL: https://issues.apache.org/jira/browse/COUCHDB-431
Project: CouchDB
Issue Type: New Feature
Components: HTTP Interface
Affects Versions: 0.9
Reporter: James Burke
Assignee: Benoit Chesneau
Priority: Minor
Fix For: 1.2
Attachments: 0001-cors-support.-should-fix-COUCHDB-431.patch,
A_0001-Generalize-computing-the-appropriate-headers-for-any.patch,
A_0002-Send-server-headers-for-externals-responses.patch,
A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch,
A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, cors.html,
test_cors2.tgz
Historically, browsers have been restricted to making XMLHttpRequests (XHRs)
to the same origin (domain) as the web page making the request. However, the
latest browsers now support cross-domain requests by implementing the Access
Control spec from the W3C:
http://dev.w3.org/2006/waf/access-control/
In order to keep older servers safe that assume browsers only do same-domain
requests, the Access Control spec requires the server to opt-in to allow
cross domain requests by the use of special HTTP headers and supporting some
pre-flight HTTP calls.
Why should CouchDB support this: in larger, high traffic site, it is common
to serve the static UI files from a separate, differently scaled server
complex than the data access/API server layer. Also, there are some API
services that are meant to be centrally hosted, but allow API consumers to
use the API from different domains. In these cases, the UI in the browser
would need to do cross domain requests to access CouchDB servers that act as
the API/data access server layer.
JSONP is not enough in these cases since it is limited to GET requests, so no
POSTing or PUTing of documents.
Some information from Firefox's perspective (functionality available as of
Firefox 3.5):
https://developer.mozilla.org/en/HTTP_access_control
And information on Safari/Webkit (functionality in latest WebKit and Safari
4):
http://developer.apple.com/safari/library/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html
IE 8 also uses the Access Control spec, but the requests have to go through
their XDomainRequest object (XDR):
http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx
and I thought IE8 only allowed GET or POST requests through their XDR.
But as far as CouchDB is concerned, implementing the Access Control headers
should be enough, and hopefully IE 9 will allow normal xdomain requests via
XHR.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (COUCHDB-431) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
[ https://issues.apache.org/jira/browse/COUCHDB-431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benoit Chesneau updated COUCHDB-431: Attachment: 0001-cors-support.-should-fix-COUCHDB-431.patch new version of the patch. removing spurious log checkout back run.tpl . Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec --- Key: COUCHDB-431 URL: https://issues.apache.org/jira/browse/COUCHDB-431 Project: CouchDB Issue Type: New Feature Components: HTTP Interface Affects Versions: 0.9 Reporter: James Burke Assignee: Benoit Chesneau Priority: Minor Fix For: 1.2 Attachments: 0001-cors-support.-should-fix-COUCHDB-431.patch, 0001-cors-support.-should-fix-COUCHDB-431.patch, A_0001-Generalize-computing-the-appropriate-headers-for-any.patch, A_0002-Send-server-headers-for-externals-responses.patch, A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch, A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, cors.html, test_cors2.tgz Historically, browsers have been restricted to making XMLHttpRequests (XHRs) to the same origin (domain) as the web page making the request. However, the latest browsers now support cross-domain requests by implementing the Access Control spec from the W3C: http://dev.w3.org/2006/waf/access-control/ In order to keep older servers safe that assume browsers only do same-domain requests, the Access Control spec requires the server to opt-in to allow cross domain requests by the use of special HTTP headers and supporting some pre-flight HTTP calls. Why should CouchDB support this: in larger, high traffic site, it is common to serve the static UI files from a separate, differently scaled server complex than the data access/API server layer. Also, there are some API services that are meant to be centrally hosted, but allow API consumers to use the API from different domains. In these cases, the UI in the browser would need to do cross domain requests to access CouchDB servers that act as the API/data access server layer. JSONP is not enough in these cases since it is limited to GET requests, so no POSTing or PUTing of documents. Some information from Firefox's perspective (functionality available as of Firefox 3.5): https://developer.mozilla.org/en/HTTP_access_control And information on Safari/Webkit (functionality in latest WebKit and Safari 4): http://developer.apple.com/safari/library/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html IE 8 also uses the Access Control spec, but the requests have to go through their XDomainRequest object (XDR): http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx and I thought IE8 only allowed GET or POST requests through their XDR. But as far as CouchDB is concerned, implementing the Access Control headers should be enough, and hopefully IE 9 will allow normal xdomain requests via XHR. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (COUCHDB-431) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
[ https://issues.apache.org/jira/browse/COUCHDB-431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Randall Leeds updated COUCHDB-431: -- Fix Version/s: 1.2 Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec --- Key: COUCHDB-431 URL: https://issues.apache.org/jira/browse/COUCHDB-431 Project: CouchDB Issue Type: New Feature Components: HTTP Interface Affects Versions: 0.9 Reporter: James Burke Assignee: Randall Leeds Priority: Minor Fix For: 1.2 Attachments: A_0001-Generalize-computing-the-appropriate-headers-for-any.patch, A_0002-Send-server-headers-for-externals-responses.patch, A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch, A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, cors.html Historically, browsers have been restricted to making XMLHttpRequests (XHRs) to the same origin (domain) as the web page making the request. However, the latest browsers now support cross-domain requests by implementing the Access Control spec from the W3C: http://dev.w3.org/2006/waf/access-control/ In order to keep older servers safe that assume browsers only do same-domain requests, the Access Control spec requires the server to opt-in to allow cross domain requests by the use of special HTTP headers and supporting some pre-flight HTTP calls. Why should CouchDB support this: in larger, high traffic site, it is common to serve the static UI files from a separate, differently scaled server complex than the data access/API server layer. Also, there are some API services that are meant to be centrally hosted, but allow API consumers to use the API from different domains. In these cases, the UI in the browser would need to do cross domain requests to access CouchDB servers that act as the API/data access server layer. JSONP is not enough in these cases since it is limited to GET requests, so no POSTing or PUTing of documents. Some information from Firefox's perspective (functionality available as of Firefox 3.5): https://developer.mozilla.org/en/HTTP_access_control And information on Safari/Webkit (functionality in latest WebKit and Safari 4): http://developer.apple.com/safari/library/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html IE 8 also uses the Access Control spec, but the requests have to go through their XDomainRequest object (XDR): http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx and I thought IE8 only allowed GET or POST requests through their XDR. But as far as CouchDB is concerned, implementing the Access Control headers should be enough, and hopefully IE 9 will allow normal xdomain requests via XHR. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (COUCHDB-431) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
[
https://issues.apache.org/jira/browse/COUCHDB-431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jason Smith updated COUCHDB-431:
Attachment: A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch
A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch
A_0002-Send-server-headers-for-externals-responses.patch
A_0001-Generalize-computing-the-appropriate-headers-for-any.patch
Initial idea. This has very heavy couch_config:get/2 calls. Couch now prevents
_show and other functions from handling HTTP OPTIONS, because this
implementation simply checks for OPTIONS early on and return {ok:true}. CORS
uses OPTIONS to request permission but only the response headers matter.
Support cross domain XMLHttpRequest (XHR) calls by implementing Access
Control spec
---
Key: COUCHDB-431
URL: https://issues.apache.org/jira/browse/COUCHDB-431
Project: CouchDB
Issue Type: New Feature
Components: HTTP Interface
Affects Versions: 0.9
Reporter: James Burke
Priority: Minor
Attachments:
A_0001-Generalize-computing-the-appropriate-headers-for-any.patch,
A_0002-Send-server-headers-for-externals-responses.patch,
A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch,
A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch
Historically, browsers have been restricted to making XMLHttpRequests (XHRs)
to the same origin (domain) as the web page making the request. However, the
latest browsers now support cross-domain requests by implementing the Access
Control spec from the W3C:
http://dev.w3.org/2006/waf/access-control/
In order to keep older servers safe that assume browsers only do same-domain
requests, the Access Control spec requires the server to opt-in to allow
cross domain requests by the use of special HTTP headers and supporting some
pre-flight HTTP calls.
Why should CouchDB support this: in larger, high traffic site, it is common
to serve the static UI files from a separate, differently scaled server
complex than the data access/API server layer. Also, there are some API
services that are meant to be centrally hosted, but allow API consumers to
use the API from different domains. In these cases, the UI in the browser
would need to do cross domain requests to access CouchDB servers that act as
the API/data access server layer.
JSONP is not enough in these cases since it is limited to GET requests, so no
POSTing or PUTing of documents.
Some information from Firefox's perspective (functionality available as of
Firefox 3.5):
https://developer.mozilla.org/en/HTTP_access_control
And information on Safari/Webkit (functionality in latest WebKit and Safari
4):
http://developer.apple.com/safari/library/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html
IE 8 also uses the Access Control spec, but the requests have to go through
their XDomainRequest object (XDR):
http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx
and I thought IE8 only allowed GET or POST requests through their XDR.
But as far as CouchDB is concerned, implementing the Access Control headers
should be enough, and hopefully IE 9 will allow normal xdomain requests via
XHR.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (COUCHDB-431) Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec
[ https://issues.apache.org/jira/browse/COUCHDB-431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jason Smith updated COUCHDB-431: Attachment: cors.html A file I was using for testing. Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec --- Key: COUCHDB-431 URL: https://issues.apache.org/jira/browse/COUCHDB-431 Project: CouchDB Issue Type: New Feature Components: HTTP Interface Affects Versions: 0.9 Reporter: James Burke Priority: Minor Attachments: A_0001-Generalize-computing-the-appropriate-headers-for-any.patch, A_0002-Send-server-headers-for-externals-responses.patch, A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch, A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch, cors.html Historically, browsers have been restricted to making XMLHttpRequests (XHRs) to the same origin (domain) as the web page making the request. However, the latest browsers now support cross-domain requests by implementing the Access Control spec from the W3C: http://dev.w3.org/2006/waf/access-control/ In order to keep older servers safe that assume browsers only do same-domain requests, the Access Control spec requires the server to opt-in to allow cross domain requests by the use of special HTTP headers and supporting some pre-flight HTTP calls. Why should CouchDB support this: in larger, high traffic site, it is common to serve the static UI files from a separate, differently scaled server complex than the data access/API server layer. Also, there are some API services that are meant to be centrally hosted, but allow API consumers to use the API from different domains. In these cases, the UI in the browser would need to do cross domain requests to access CouchDB servers that act as the API/data access server layer. JSONP is not enough in these cases since it is limited to GET requests, so no POSTing or PUTing of documents. Some information from Firefox's perspective (functionality available as of Firefox 3.5): https://developer.mozilla.org/en/HTTP_access_control And information on Safari/Webkit (functionality in latest WebKit and Safari 4): http://developer.apple.com/safari/library/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html IE 8 also uses the Access Control spec, but the requests have to go through their XDomainRequest object (XDR): http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx and I thought IE8 only allowed GET or POST requests through their XDR. But as far as CouchDB is concerned, implementing the Access Control headers should be enough, and hopefully IE 9 will allow normal xdomain requests via XHR. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
