Open thboileau opened 12 years ago
jlouvel
commented
12 years ago We should support the CORS approach now that it is widely implemented: http://www.w3.org/TR/cors/
New headers:
adennie
commented
10 years ago FYI, I'm implementing this now for a framework I'm working on; I may be able to contribute something once I've got it working.
jlouvel
commented
10 years ago Sounds good Andy. That would be a great enhancement to Restlet API
adennie
commented
10 years ago I'm trying to figure out the "Restlet way" to implement this... would a CorsService with a CorsFilter be a good approach?
-Andy
Jerome Louvel wrote:
Sounds good Andy. That would be a great enhancement to Restlet API
— Reply to this email directly or view it on GitHub https://github.com/restlet/restlet-framework-java/issues/216#issuecomment-30335115.
jlouvel
commented
10 years ago What I had in mind was something along the lines of the org.restlet.data.ChallengeRequest and ChallengeResponse classes: http://restlet.org/learn/javadocs/snapshot/jee/api/index.html?org/restlet/data/ChallengeRequest.html
This org.restlet.data.AccessControlRequest and AccessControlResponse classse would be used via a Request#accessControlRequest and accessControlResponse properties and automatically populated if present in the lower-level HTTP messsage.
adennie
commented
10 years ago Ah, you're talking about exposing the CORS-related request and response headers, I think. That's useful also, but I was thinking about providing an implementation of the CORS-related functionality (e.g. allow configuration of allowed origins, allowed headers, exposed headers, etc. in a CorsService and then use that config info in a CorsFilter to insert appropriate headers into the response for pre-flight and normal CORS requests).
jlouvel
commented
10 years ago That's definitely complementary. I'm not sure how the CorsService could work, but it could definitely let you configure and insert an inbound CorsFilter. Interested in details
You might want to consider outbound support in this filter for client-side calls in the future, like AJAX does by default in modern browser.
adennie
commented
10 years ago Here's a sneak peek, still a bit rough, but you can get the idea:
Any general feedback on how its structured would be appreciated.
jlouvel
commented
10 years ago Andy, I looked at the code and find the implementation compelling, especially the handlePreflightRequest method.
Once you get this stable, it would be great to refactor the CORS header manipulation logic into AccessControlRequest and AccessControlResponse classes to complete this feature.
To see how the headers reading/writing logic is handled, check this class: https://github.com/restlet/restlet-framework-java/blob/master/modules/org.restlet/src/org/restlet/engine/header/HeaderUtils.java
adennie
commented
10 years ago Thanks for taking a look, and for the pointer to the header reading/writing logic.
By the way, I'm not sure I grasp the value of implementing the client side of the CORS protocol for outbound Restlet requests. Is Restlet enforcing a Same Origin Policy for outbound requests?
-Andy
Jerome Louvel wrote:
Andy, I looked at the code and find the implementation compelling, especially the handlePreflightRequest method.
Once you get this stable, it would be great to refactor the CORS header manipulation logic into AccessControlRequest and AccessControlResponse classes to complete this feature.
To see how the headers reading/writing logic is handled, check this class: https://github.com/restlet/restlet-framework-java/blob/master/modules/org.restlet/src/org/restlet/engine/header/HeaderUtils.java
— Reply to this email directly or view it on GitHub https://github.com/restlet/restlet-framework-java/issues/216#issuecomment-30480350.
jlouvel
commented
10 years ago I agree client-side support could be done as a second step, it isn't necessary for your use case.
Having it could help building more secure browser-like clients / server-side mashups.
gpulido
commented
10 years ago I would like to know if this planned to be implemented / added on restlet at any time.
jlouvel
commented
10 years ago This is scheduled for version 2.3, see draft roadmap: https://github.com/restlet/restlet-framework-java/wiki/Road-map-of-version-2.3-(draft)
Any contribution to make it happen earlier are welcome :)
thboileau
commented
3 years ago Let's check the complete list of CORs headers
Initial ticket : http://restlet.tigris.org/issues/show_bug.cgi?id=994