Open karlcz opened 7 years ago
I'm not seeing any feedback that this is a high priority issue, so we'll park it for now. We need some motivating use cases for how we want CORS to interact with credentials and fine-grained ACLs, including how many levels of trust a server admin might want to express for other origins.
I think this was driven by the desire to use JBROWSE in Facebase….
According to @robes that was just to allow a non-standard deployment for development purposes. The actual deployment would put the jbrowse stuff on the same server and not involve any cross-domain requests.
Ahh, ok.
Carl
Dr. Carl Kesselman Dean’s Professor, Epstein Department of Industrial and Systems Engineering Fellow, Information Sciences Institute Viterbi School of Engineering
Professor, Preventive Medicine Keck School of Medicine
University of Southern California 4676 Admiralty Way, Suite 1001, Marina del Rey, CA 90292-6695 Phone: +1 (310) 448-9338 Email: carl@isi.edumailto:carl@isi.edu Web: http://www.isi.edu/~carl
On Mar 16, 2017, at 4:58 PM, Karl Czajkowski notifications@github.com<mailto:notifications@github.com> wrote:
According to @robes that was just to allow a non-standard deployment for development purposes. The actual deployment would put the jbrowse stuff on the same server and not involve any cross-domain requests.
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/informatics-isi-edu/hatrac/issues/38#issuecomment-287228103, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADbjXvL0scY3DYudra6hR_1RpYDWprUlks5rmcyIgaJpZM4MYkgb.
{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/informatics-isi-edu/hatrac","title":"informatics-isi-edu/hatrac","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/informatics-isi-edu/hatrac"}},"updates":{"snippets":[{"icon":"PERSON","message":"@karlcz in #38: According to @robes that was just to allow a non-standard deployment for\ndevelopment purposes. The actual deployment would put the jbrowse\nstuff on the same server and not involve any cross-domain requests.\n"}],"action":{"name":"View Issue","url":"https://github.com/informatics-isi-edu/hatrac/issues/38#issuecomment-287228103"}}}
That’s right
The hatrac service does not implement the OPTIONS method for HTTP.
@kylechard @robes we need to define the scope of this...
OPTIONS request processing
Every resource should support this:
Origin
: the origin or origins of the page causing the request on the browser (null
or space-separated list of origins e.g.https://server1 http://server2:port
)Access-Control-Request-Method
: the all-caps HTTP method name the browser plans to use with actual request, e.g.GET
Access-Control-Request-Headers
: comma-separated list of header names the browser plans to send with actual requestAllow
: comma-separated list of all-caps HTTP method names supported by the resource (for the current client), e.gAllow: GET,OPTIONS
Access-Control-Allow-Origin
:*
ornull
or single origin?Access-Control-Allow-Credentials
:true
to say we want our cookies sent w/ the cross-origin requestAccess-Control-Expose-Headers
: comma-spearated list of response header names exposed (exposed means the cross-origin client can view the response header content)Access-Control-Allow-Methods
: comma-separated list of all-caps method namesAccess-Control-Allow-Headers
: comma-spearated list of request header names allowed (allowed means the cross-origin client can specify the request header content)Access-Control-Max-Age
: delta seconds as one more more decimal ASCII digitsExtensions to regular request processing
The CORS response headers should actually be included in most responses to cover cases where the browser opportunistically sends the request rather than doing a pre-flight via OPTIONS.
Access-Control-Allow-Credentials
Access-Control-Allow-Headers
if request hadAccess-Control-Request-headers
Access-Control-Allow-Origin
says whether this specific response can be shared, also includeOrigin
in theVary
response header if content is restricted!Access-Control-Expose-Headers
Cross-site concerns
Origin
headers against our policy on all requests, not just in the new OPTIONS request handler.*
ACLs into public access in CORS terms?