Closed
Bug 646636
Opened 13 years ago
Closed 13 years ago
Allow cross-domain XHR requests on the self-serve API
Categories
(Release Engineering :: General, defect, P2)
Release Engineering
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: ehsan.akhgari, Assigned: catlee)
References
Details
Attachments
(1 file)
1.89 KB,
patch
|
bear
:
review+
catlee
:
checked-in+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #646487 +++ This is another thing that we need for integration of self-serve APIs with TBPL.
Assignee | ||
Comment 1•13 years ago
|
||
What's the exact header name/value you want?
Reporter | ||
Comment 2•13 years ago
|
||
(In reply to comment #1) > What's the exact header name/value you want? Unfortunately because we need to send DELETE requests, we should support preflighted requests <https://developer.mozilla.org/En/HTTP_Access_Control#Preflighted_requests>. This is a lot more complicated than I thought... :(
Assignee | ||
Comment 3•13 years ago
|
||
(In reply to comment #2) > (In reply to comment #1) > > What's the exact header name/value you want? > > Unfortunately because we need to send DELETE requests, we should support > preflighted requests > <https://developer.mozilla.org/En/HTTP_Access_Control#Preflighted_requests>. > This is a lot more complicated than I thought... :( You can send POST with a parameter _method=DELETE
Reporter | ||
Comment 4•13 years ago
|
||
(In reply to comment #3) > (In reply to comment #2) > > (In reply to comment #1) > > > What's the exact header name/value you want? > > > > Unfortunately because we need to send DELETE requests, we should support > > preflighted requests > > <https://developer.mozilla.org/En/HTTP_Access_Control#Preflighted_requests>. > > This is a lot more complicated than I thought... :( > > You can send POST with a parameter _method=DELETE In that case, specifying this header should be all that is needed: Access-Control-Allow-Origin: *
Assignee | ||
Updated•13 years ago
|
Assignee: nobody → catlee
Priority: -- → P2
Comment 5•13 years ago
|
||
We need to allow the user's HTTP credentials to be used when accessing the self-serve API. By my reading of CORS, this means we need to send Access-Control-Allow-Origin: tbpl.mozilla.org Access-Control-Allow-Credentials: true since it says you can't use "*" when making cross-origin requests with credentials. That might be problematic for those running their own TBPL instances on different hosts.
Reporter | ||
Comment 6•13 years ago
|
||
So, this might be stupid, but do we want to look at the Referer header (if set by the browser) and set Access-Control-Allow-Origin based on the hostname in use (and fall back to tbpl.m.o if it's not set)?
Comment 7•13 years ago
|
||
Would that mean anyone could write a page that could cancel/trigger builds using the user's current credentials? Seems like that might be a problem, so I think it would be better to whitelist people's individual tbpl variants.
Comment 8•13 years ago
|
||
I propose the following headers be sent by the self-serve API pages: Access-Control-Allow-Origin: tbpl.mozilla.org, tests.themasta.com, dev.philringnalda.com, bbpl.dbaron.org, tbpl.mcc.id.au Access-Control-Allow-Credentials: true They're the TBPL instances I'm aware of. (The last one is where I'm testing bug 634915 work, which needs this cross-domain access.)
Comment 9•13 years ago
|
||
Sorry, should be this: Access-Control-Allow-Origin: http://tbpl.mozilla.org http://tests.themasta.com http://dev.philringnalda.com http://bbpl.dbaron.org http://tbpl.mcc.id.au Access-Control-Allow-Credentials: true
Reporter | ||
Comment 10•13 years ago
|
||
(In reply to comment #9) > Sorry, should be this: > > Access-Control-Allow-Origin: http://tbpl.mozilla.org > http://tests.themasta.com http://dev.philringnalda.com http://bbpl.dbaron.org > http://tbpl.mcc.id.au > Access-Control-Allow-Credentials: true If that's how we should be playing, please add http://ehsanakhgari.org too.
Assignee | ||
Comment 11•13 years ago
|
||
Assignee | ||
Updated•13 years ago
|
Attachment #525793 -
Flags: review?(bear)
Updated•13 years ago
|
Attachment #525793 -
Flags: review?(bear) → review+
Assignee | ||
Comment 12•13 years ago
|
||
Comment on attachment 525793 [details] [diff] [review] Add ControlHeaders middleware http://hg.mozilla.org/build/buildapi/rev/529092a87932
Attachment #525793 -
Flags: checked-in+
Assignee | ||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Product: mozilla.org → Release Engineering
You need to log in
before you can comment on or make changes to this bug.
Description
•