Closed dmjohnsson23 closed 5 years ago
Kapelianovych
commented
5 years ago @dmjohnsson23 What if server and database are hosted on different machines? For this situation CORS is useful in CouchDbServerClient. Such circumstances may not come, though. This is reason why I move CORS functionality to CouchDbBaseClient.
dmjohnsson23
commented
5 years ago CORS is related to is a browser security feature designed to prevent cross-site scripting by preventing one site from connecting to another via the user's browser (where it would have access to things like a user's authentication tokens). Thus, at least so far as I understand, it only pertains when the request is sent by the browser. If the request is sent by the application server to the database server, the application server is the client in that exchange and therefore does not need to use CORS because it is communicating directly with the database server instead of through the user's browser.
Kapelianovych
commented
5 years ago @dmjohnsson23 Hmm... I don’t able to reproduce situation where server need CORS header, so. Ok, in the next version of package I remove CORS from CouchDbServerClient.
I noticed you also added my changes regarding the Origin header to the CouchDbBaseClient class and the CouchDbServerClient class. That's not really necessary because the CORS and the Origin header only really have meaning when coming from the browser, therefore that code should probably only live in the CouchDbWebClient class. Making the Origin header optional was a good idea though, since it seems some browsers prefer to set it themselves.