Cross-origin requests (CORS) headers

[samatjain]

Now that JXAPI supports JSON, Web applications running from within a Web browser can make requests to JXAPI directly. Unfortunately, cross-domain restrictions prevent this from working.

CORS headers tell a Web browser that it's OK to make a request to a service running on a different domain.

See enable-cors.org and the W3C specification for more information.

In theory, the minimum you need is:

Access-Control-Allow-Origin: *

This will allow any Web application running on any domain to connect to a JXAPI instance. It's a good idea to have an option where people running JXAPI instances can specify the value for this header so they can restrict access.

A complication (mentioned in the spec): Web browsers perform a "pre-flight request" to check whether a URL supports CORS. This is usually an HTTP OPTIONS request, followed by a GET/POST/whatever if access is allowed.

[iandees]

What URL does the browser request for it's "pre-flight request"? It might be pretty difficult if it requests the root URL because the servlet container doesn't usually let you handle requests for the root of the host.

[samatjain]

The preflight request is for the URL we're requesting.

I.e. for URL http://example.com/xapi/api/0.6/node/1

1. Browser sends HTTP OPTIONS request for http://example.com/xapi/api/0.6/node/1
2. Browser checks for CORS headers on that response. I'm not sure if the browser cares what else is in the response.
3. Browser performs an HTTP GET request for http://example.com/xapi/api/0.6/node/1

[iandees]

This should be live on jxapi.osm.org.