The default bug view has changed. See this FAQ.

Add more CORS negotiation to /query endpoint

NEW
Assigned to

Status

Testing
ActiveData
5 months ago
5 months ago

People

(Reporter: ekyle, Assigned: ekyle)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Assignee)

Description

5 months ago
It appears `Access-Control-Allow-Origin: *` in the HTTP header is not enough to allow cross-site scripting.  More headers, and HTTP methods, are required to unlock browsers' ability to send requests to the ActiveData server.  Specifically, at least `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers`.  These appear to be white-listing header properties, but the extent they apply in practice is currently a mystery to me.

Some of my dumb questions are:
* What does it mean to "Allow-Headers"? In the case of "Content-Type", can 
  we actually disallow "Content-Type" headers?
* What other headers are gated by "Allow-Headers"?  If I find <header> is 
  not gated, how do I distinguish between a browser implementation failure 
  and a legitimate part of the spec?  How do I get informed of changes to 
  the CORS spec as more headers are added to the list of gated headers?
* It would be nice if "*" works for all the "Access-Control-*" headers.
  Does it?

Certainly, with enough hours dedicated to research and experimentation, all these questions can be answered. Plus, a comprehensive test suite is required to be reasonably assured we can deal with the variations in implementation, ensure we have not broken other communications, and provide alerts when CORS spec/implementation inevitably change. This makes me sad, I hope there is a faster way.

There may be a communications library [2] that manages the client communication required to establish the required client permissions. Hopefully its API has a "just work" option, unlike CORS.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests
[2] https://flask-cors.readthedocs.io/en/latest/
[3] http://flask.pocoo.org/snippets/56/
(Assignee)

Comment 1

5 months ago
Some discussion about "*"

http://stackoverflow.com/questions/13146892/cors-access-control-allow-headers-wildcard-being-ignored

including possible dynamic solutions:

resp.setHeader("Access-Control-Allow-Headers", req.getHeader("Access-Control-Request-Headers"));
You need to log in before you can comment on or make changes to this bug.