You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by "Stanisław (JIRA)" <ji...@apache.org> on 2010/07/22 20:08:49 UTC
[jira] Created: (COUCHDB-832) Handling HTTP OPTIONS method
Handling HTTP OPTIONS method
----------------------------
Key: COUCHDB-832
URL: https://issues.apache.org/jira/browse/COUCHDB-832
Project: CouchDB
Issue Type: Bug
Components: HTTP Interface
Affects Versions: 1.0
Reporter: Stanisław
Method OPTIONS is not allowed, which disables ability for cross-site XMLHttpRequest (other than GET) within the browser (see: http://www.w3.org/TR/cors)
Current headers:
curl -X OPTIONS http://localhost:5984 -v
...
< HTTP/1.1 405 Method Not Allowed
< Server: CouchDB/1.0.0 (Erlang OTP/R13B)
< Date: Thu, 22 Jul 2010 17:56:59 GMT
< Content-Type: text/plain;charset=utf-8
< Content-Length: 64
< Cache-Control: must-revalidate
< Allow: GET,HEAD
Expected headers:
HTTP/1.1 200 OK
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER
Stan.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (COUCHDB-832) Handling HTTP OPTIONS method
Posted by "luisbebop (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12894050#action_12894050 ]
luisbebop commented on COUCHDB-832:
-----------------------------------
Hi Chris.
You're are totally right. I created this patch to use CouchDb for a very specific application that some few users will use. The security flaw that I have allowing all domains in origin is not a big problem for me.
But for apply this implementation on trunk, I'd imagine a new configuration section where we can set the domains that we will allow on Origin header. The w3c cors spec recomends this control on server side. For example:
%we have to change this line, to get a list of allowed origins. Not the origin that came on header request.
Origin = header_value(Req, "Origin", "*"),
DefaultHeaders = [
{"Content-Type", negotiate_content_type(Req)},
- {"Cache-Control", "must-revalidate"}
+ {"Cache-Control", "must-revalidate"},
+ {"Access-Control-Allow-Origin", Origin},
+ {"Access-Control-Allow-Headers", "Content-Type, Authorization"},
+ {"Access-Control-Allow-Credentials", "true"}
I think we have 50% the job done. I'd appreciate if you implement the section and the function to get the allowed domains, because I'm a Erlang newbie.
Thanks for your response and the amazing work with couchdb and couch.io.
> Handling HTTP OPTIONS method
> ----------------------------
>
> Key: COUCHDB-832
> URL: https://issues.apache.org/jira/browse/COUCHDB-832
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.0
> Reporter: Stanisław
>
> Method OPTIONS is not allowed, which disables ability for cross-site XMLHttpRequest (other than GET) within the browser (see: http://www.w3.org/TR/cors)
> Current headers:
> curl -X OPTIONS http://localhost:5984 -v
> ...
> < HTTP/1.1 405 Method Not Allowed
> < Server: CouchDB/1.0.0 (Erlang OTP/R13B)
> < Date: Thu, 22 Jul 2010 17:56:59 GMT
> < Content-Type: text/plain;charset=utf-8
> < Content-Length: 64
> < Cache-Control: must-revalidate
> < Allow: GET,HEAD
> Expected headers:
> HTTP/1.1 200 OK
> Access-Control-Allow-Methods: POST, GET, OPTIONS
> Access-Control-Allow-Headers: X-PINGOTHER
> Stan.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (COUCHDB-832) Handling HTTP OPTIONS method
Posted by "Paul Joseph Davis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-832?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Joseph Davis updated COUCHDB-832:
--------------------------------------
Skill Level: Regular Contributors Level (Easy to Medium)
> Handling HTTP OPTIONS method
> ----------------------------
>
> Key: COUCHDB-832
> URL: https://issues.apache.org/jira/browse/COUCHDB-832
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.0
> Reporter: Stanisław
>
> Method OPTIONS is not allowed, which disables ability for cross-site XMLHttpRequest (other than GET) within the browser (see: http://www.w3.org/TR/cors)
> Current headers:
> curl -X OPTIONS http://localhost:5984 -v
> ...
> < HTTP/1.1 405 Method Not Allowed
> < Server: CouchDB/1.0.0 (Erlang OTP/R13B)
> < Date: Thu, 22 Jul 2010 17:56:59 GMT
> < Content-Type: text/plain;charset=utf-8
> < Content-Length: 64
> < Cache-Control: must-revalidate
> < Allow: GET,HEAD
> Expected headers:
> HTTP/1.1 200 OK
> Access-Control-Allow-Methods: POST, GET, OPTIONS
> Access-Control-Allow-Headers: X-PINGOTHER
> Stan.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (COUCHDB-832) Handling HTTP OPTIONS method
Posted by "Chris Anderson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12893795#action_12893795 ]
Chris Anderson commented on COUCHDB-832:
----------------------------------------
Could you describe the nature of this patch?
I'm vaguely familiar with the use of OPTIONS for pre-flight testing of the acceptance of cross-domain requests.
Does this patch open up CouchDB to all cross-domain requests? Does that mean if you are logged into a couch as an admin, and then you visit a malicious site, they can delete all your databases / trigger outbound replication / otherwise cause mayhem?
Or is this patch more controlled? I'd imagine if we are going to support this we'll need a way to configure which domains are allowed to trigger cross domain requests.
Maybe I'm totally off-base... please let us know what you think about these issues.
> Handling HTTP OPTIONS method
> ----------------------------
>
> Key: COUCHDB-832
> URL: https://issues.apache.org/jira/browse/COUCHDB-832
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.0
> Reporter: Stanisław
>
> Method OPTIONS is not allowed, which disables ability for cross-site XMLHttpRequest (other than GET) within the browser (see: http://www.w3.org/TR/cors)
> Current headers:
> curl -X OPTIONS http://localhost:5984 -v
> ...
> < HTTP/1.1 405 Method Not Allowed
> < Server: CouchDB/1.0.0 (Erlang OTP/R13B)
> < Date: Thu, 22 Jul 2010 17:56:59 GMT
> < Content-Type: text/plain;charset=utf-8
> < Content-Length: 64
> < Cache-Control: must-revalidate
> < Allow: GET,HEAD
> Expected headers:
> HTTP/1.1 200 OK
> Access-Control-Allow-Methods: POST, GET, OPTIONS
> Access-Control-Allow-Headers: X-PINGOTHER
> Stan.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (COUCHDB-832) Handling HTTP OPTIONS method
Posted by "luisbebop (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12893792#action_12893792 ]
luisbebop commented on COUCHDB-832:
-----------------------------------
I created a patch for this issue. I've implemented the W3C CORS, including "credentialed" requests.
http://gist.github.com/499002
> Handling HTTP OPTIONS method
> ----------------------------
>
> Key: COUCHDB-832
> URL: https://issues.apache.org/jira/browse/COUCHDB-832
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.0
> Reporter: Stanisław
>
> Method OPTIONS is not allowed, which disables ability for cross-site XMLHttpRequest (other than GET) within the browser (see: http://www.w3.org/TR/cors)
> Current headers:
> curl -X OPTIONS http://localhost:5984 -v
> ...
> < HTTP/1.1 405 Method Not Allowed
> < Server: CouchDB/1.0.0 (Erlang OTP/R13B)
> < Date: Thu, 22 Jul 2010 17:56:59 GMT
> < Content-Type: text/plain;charset=utf-8
> < Content-Length: 64
> < Cache-Control: must-revalidate
> < Allow: GET,HEAD
> Expected headers:
> HTTP/1.1 200 OK
> Access-Control-Allow-Methods: POST, GET, OPTIONS
> Access-Control-Allow-Headers: X-PINGOTHER
> Stan.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.