Closed Bug 646636 Opened 13 years ago Closed 13 years ago

Allow cross-domain XHR requests on the self-serve API

Categories

(Release Engineering :: General, defect, P2)

Product:
Release Engineering
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ehsan.akhgari, Assigned: catlee)

References

Details

Attachments

(1 file)

Add ControlHeaders middleware
1.89 KB, patch
bear
: review+
catlee
: checked-in+
Details | Diff | Splinter Review 
+++ This bug was initially created as a clone of Bug #646487 +++

This is another thing that we need for integration of self-serve APIs with TBPL.
No longer depends on: 646487
What's the exact header name/value you want?
(In reply to comment #1)
> What's the exact header name/value you want?

Unfortunately because we need to send DELETE requests, we should support preflighted requests <https://developer.mozilla.org/En/HTTP_Access_Control#Preflighted_requests>.  This is a lot more complicated than I thought... :(
(In reply to comment #2)
> (In reply to comment #1)
> > What's the exact header name/value you want?
> 
> Unfortunately because we need to send DELETE requests, we should support
> preflighted requests
> <https://developer.mozilla.org/En/HTTP_Access_Control#Preflighted_requests>. 
> This is a lot more complicated than I thought... :(

You can send POST with a parameter _method=DELETE
(In reply to comment #3)
> (In reply to comment #2)
> > (In reply to comment #1)
> > > What's the exact header name/value you want?
> > 
> > Unfortunately because we need to send DELETE requests, we should support
> > preflighted requests
> > <https://developer.mozilla.org/En/HTTP_Access_Control#Preflighted_requests>. 
> > This is a lot more complicated than I thought... :(
> 
> You can send POST with a parameter _method=DELETE

In that case, specifying this header should be all that is needed:

Access-Control-Allow-Origin: *
Assignee: nobody → catlee
Priority: -- → P2
Blocks: 634915
We need to allow the user's HTTP credentials to be used when accessing the self-serve API.  By my reading of CORS, this means we need to send

  Access-Control-Allow-Origin: tbpl.mozilla.org
  Access-Control-Allow-Credentials: true

since it says you can't use "*" when making cross-origin requests with credentials.  That might be problematic for those running their own TBPL instances on different hosts.
So, this might be stupid, but do we want to look at the Referer header (if set by the browser) and set Access-Control-Allow-Origin based on the hostname in use (and fall back to tbpl.m.o if it's not set)?
Would that mean anyone could write a page that could cancel/trigger builds using the user's current credentials?  Seems like that might be a problem, so I think it would be better to whitelist people's individual tbpl variants.
I propose the following headers be sent by the self-serve API pages:

  Access-Control-Allow-Origin: tbpl.mozilla.org, tests.themasta.com, dev.philringnalda.com, bbpl.dbaron.org, tbpl.mcc.id.au
  Access-Control-Allow-Credentials: true

They're the TBPL instances I'm aware of.  (The last one is where I'm testing bug 634915 work, which needs this cross-domain access.)
Sorry, should be this:

  Access-Control-Allow-Origin: http://tbpl.mozilla.org http://tests.themasta.com http://dev.philringnalda.com http://bbpl.dbaron.org http://tbpl.mcc.id.au
  Access-Control-Allow-Credentials: true
(In reply to comment #9)
> Sorry, should be this:
> 
>   Access-Control-Allow-Origin: http://tbpl.mozilla.org
> http://tests.themasta.com http://dev.philringnalda.com http://bbpl.dbaron.org
> http://tbpl.mcc.id.au
>   Access-Control-Allow-Credentials: true

If that's how we should be playing, please add http://ehsanakhgari.org too.
Attachment #525793 - Flags: review?(bear)
Attachment #525793 - Flags: review?(bear) → review+
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: