[jira] [Commented] (CALCITE-1082) CORS Support for Avatica Requests

["Josh Elser (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/CALCITE-1082?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15139414#comment-15139414 ] 

Josh Elser commented on CALCITE-1082:
-------------------------------------

Moved this one too, [~brane2]. I've run into CORS before, I'm a little fuzzy. Have you thought about the security implications of this? If we would set the header, are there other things we'd have to worry about (in other words, do we need an option to turn this on/off per user)?

> CORS Support for Avatica Requests
> ---------------------------------
>
>                 Key: CALCITE-1082
>                 URL: https://issues.apache.org/jira/browse/CALCITE-1082
>             Project: Calcite
>          Issue Type: New Feature
>          Components: avatica
>            Reporter: Steve T
>            Priority: Minor
>
> It would be super cool if I could write Javascript in a web page to read/write my Phoenix tables.  I spend the last few days learning about CORS and browser security.  I found out that what I am trying to accomplish cannot be readily done because the browser adds CORS headers (like {color:blue}{{Origin: <whatever>}}{color}) and methods (like {color:blue}{{method: OPTIONS}}{color}) that are not supported by Phoenix Query Server.
> I do not know if this can be added on the Phoenix side or if it has to be added on the Avatica side, but for the time being I am trying the following to make it work:
> 1.  Unconventional Javascript to remove the {color:blue}{{X-Requested-With}}{color} header in the request.
> 2.  One line code change in Avatica's {color:blue}{{AvaticaJsonHandler.handle()}}{color} to add an {color:blue}{{Access-Control-Allow-Origin: *}}{color} header to the response.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)