CouchDB
  1. CouchDB
  2. COUCHDB-431

cors - aka Cross-Origin Resource Sharing support

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 0.9
    • Fix Version/s: 1.3
    • Component/s: HTTP Interface
    • Labels:
      None
    • Skill Level:
      Regular Contributors Level (Easy to Medium)

      Description

      Historically, browsers have been restricted to making XMLHttpRequests (XHRs) to the same origin (domain) as the web page making the request. However, the latest browsers now support cross-domain requests by implementing the Access Control spec from the W3C:
      http://dev.w3.org/2006/waf/access-control/

      In order to keep older servers safe that assume browsers only do same-domain requests, the Access Control spec requires the server to opt-in to allow cross domain requests by the use of special HTTP headers and supporting some "pre-flight" HTTP calls.

      Why should CouchDB support this: in larger, high traffic site, it is common to serve the static UI files from a separate, differently scaled server complex than the data access/API server layer. Also, there are some API services that are meant to be centrally hosted, but allow API consumers to use the API from different domains. In these cases, the UI in the browser would need to do cross domain requests to access CouchDB servers that act as the API/data access server layer.

      JSONP is not enough in these cases since it is limited to GET requests, so no POSTing or PUTing of documents.

      Some information from Firefox's perspective (functionality available as of Firefox 3.5):
      https://developer.mozilla.org/en/HTTP_access_control

      And information on Safari/Webkit (functionality in latest WebKit and Safari 4):
      http://developer.apple.com/safari/library/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html

      IE 8 also uses the Access Control spec, but the requests have to go through their XDomainRequest object (XDR):
      http://msdn.microsoft.com/en-us/library/cc288060%28VS.85%29.aspx

      and I thought IE8 only allowed GET or POST requests through their XDR.

      But as far as CouchDB is concerned, implementing the Access Control headers should be enough, and hopefully IE 9 will allow normal xdomain requests via XHR.

      1. test_cors2-1.tgz
        69 kB
        Benoit Chesneau
      2. test_cors2.tgz
        69 kB
        Benoit Chesneau
      3. cors.html
        2 kB
        Jason Smith
      4. cors_test.html
        3 kB
        Jason Smith
      5. check_method_cors.patch
        1 kB
        Benoit Chesneau
      6. A_0004-Respond-to-CORS-preflight-checks-HTTP-OPTIONS.patch
        2 kB
        Jason Smith
      7. A_0003-Usably-correct-w3c-CORS-headers-for-valid-requests.patch
        6 kB
        Jason Smith
      8. A_0002-Send-server-headers-for-externals-responses.patch
        3 kB
        Jason Smith
      9. A_0001-Generalize-computing-the-appropriate-headers-for-any.patch
        2 kB
        Jason Smith
      10. 0001-cors-support.-should-fix-COUCHDB-431-2.patch
        21 kB
        Benoit Chesneau
      11. 0001-cors-support.-should-fix-COUCHDB-431.patch
        19 kB
        Benoit Chesneau
      12. 0001-cors-support.-should-fix-COUCHDB-431.patch
        19 kB
        Benoit Chesneau
      13. 0001-cors-support.-should-fix-COUCHDB-431.patch
        21 kB
        Benoit Chesneau
      14. 0001-cors-support.-should-fix-COUCHDB-431.patch
        24 kB
        Benoit Chesneau

        Issue Links

          Activity

          James Burke created issue -
          Paul Joseph Davis made changes -
          Field Original Value New Value
          Skill Level Regular Contributors Level (Easy to Medium)
          Jason Smith made changes -
          Attachment cors.html [ 12479262 ]
          Randall Leeds made changes -
          Assignee Randall Leeds [ tilgovi ]
          Randall Leeds made changes -
          Fix Version/s 1.2 [ 12315198 ]
          Randall Leeds made changes -
          Link This issue duplicates COUCHDB-832 [ COUCHDB-832 ]
          Benoit Chesneau made changes -
          Assignee Randall Leeds [ tilgovi ] Benoit Chesneau [ benoitc ]
          Benoit Chesneau made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Benoit Chesneau made changes -
          Attachment 0001-cors-support.-should-fix-COUCHDB-431.patch [ 12491527 ]
          Attachment test_cors2.tgz [ 12491528 ]
          Benoit Chesneau made changes -
          Benoit Chesneau made changes -
          Attachment 0001-cors-support.-should-fix-COUCHDB-431-2.patch [ 12491613 ]
          Attachment test_cors2-1.tgz [ 12491614 ]
          Benoit Chesneau made changes -
          Benoit Chesneau made changes -
          Jason Smith made changes -
          Attachment cors_test.html [ 12492257 ]
          Benoit Chesneau made changes -
          Comment [

          This is just expected behavior when you reuest credentials. You can
          block this "exploit" by setting the origins you want to accept in the
          db security object. I'm not sure this is really an issue here. web is
          based on trust by nature.

          Anyway we can make however is :

          - making cors optionnal via a setting
          - block by default credentials on /db/* except if origins on a db is
          set. Have a setting that would allows people to bypass this setting

          I will proposea patch that does that in coming hours. Would it solve
          your expectations?
          ]
          Alex Chaffee made changes -
          Comment [ "CORS isn't about security. It means Cross-Origin Resource Sharing . We shouldn't forget that."

          True! As I said back in May[1]. Admittedly this is a nuanced distinction, but if you think it's about security, then you misunderstand either what CORS is or what security means.

          [1] "it's not hard security, just a message from the server that tells the client "here's the data, and here's a hint about how I think you should use it" (which hint is ignored by everybody except web browsers)." - comment 13041182

          I haven't looked at the patch code yet but if you do a whitelist please make sure it is disableable, or at least that it supports all variations of localhost (127.0.0.1, 0.0.0.0, file:///...) since I'd like to use CouchDB as a store for a Chrome browser plugin (with couch and browser running on the same machine).
          ]
          Jan Lehnardt made changes -
          Fix Version/s 1.3 [ 12318350 ]
          Fix Version/s 1.2 [ 12315198 ]
          Robert Newson made changes -
          Priority Minor [ 4 ] Blocker [ 1 ]
          Benoit Chesneau made changes -
          Summary Support cross domain XMLHttpRequest (XHR) calls by implementing Access Control spec CORS
          Benoit Chesneau made changes -
          Summary CORS cors - aka Cross-Origin Resource Sharing support
          Benoit Chesneau made changes -
          Attachment check_method_cors.patch [ 12552106 ]
          Benoit Chesneau made changes -
          Comment [ if this something wanted, why not. Attached patch does that. But is something that we want? ]
          Dave Cottlehuber made changes -
          Fix Version/s 1.4 [ 12323451 ]
          Fix Version/s 1.3 [ 12318350 ]
          Jan Lehnardt made changes -
          Fix Version/s 1.4 [ 12323451 ]
          Jan Lehnardt made changes -
          Status In Progress [ 3 ] Closed [ 6 ]
          Fix Version/s 1.3 [ 12318350 ]
          Resolution Fixed [ 1 ]

            People

            • Assignee:
              Benoit Chesneau
              Reporter:
              James Burke
            • Votes:
              18 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development