After #35, we hope to use on-demand client code to make direct queries to broadway endpoints. However more needs to be done for that to come true. Since broadway and on-demand are hosted on different machines, they are on different origin. Therefore broadway must allow cross origin resource sharing.
I chose to put * in Access-Control-Allow-Origin instead of just on-demand and localhost. This means browsers will allow any other website to access broadway data. This is okay because broadway does not use cookies as a form of authentication. The main reason for browsers to block cross origin requests is to prevent cookies to be sent automatically along with the request. Hence we do not take any risk by doing this.
I also just learned about preflight request when working on this. Because we use the "Authentication" header field, browsers send a preflight request with "OPTIONS" type before the actual "POST" request. Broadway must respond that we allow "Authentication" field.
After #35, we hope to use on-demand client code to make direct queries to broadway endpoints. However more needs to be done for that to come true. Since broadway and on-demand are hosted on different machines, they are on different origin. Therefore broadway must allow cross origin resource sharing.
I chose to put
*inAccess-Control-Allow-Origininstead of just on-demand and localhost. This means browsers will allow any other website to access broadway data. This is okay because broadway does not use cookies as a form of authentication. The main reason for browsers to block cross origin requests is to prevent cookies to be sent automatically along with the request. Hence we do not take any risk by doing this.I also just learned about preflight request when working on this. Because we use the "Authentication" header field, browsers send a preflight request with "OPTIONS" type before the actual "POST" request. Broadway must respond that we allow "Authentication" field.