Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need to implement OPTIONS method and CORS #38

Open
10 tasks
karlcz opened this issue Mar 9, 2017 · 5 comments
Open
10 tasks

Need to implement OPTIONS method and CORS #38

karlcz opened this issue Mar 9, 2017 · 5 comments
Assignees
Labels

Comments

@karlcz
Copy link
Contributor

karlcz commented Mar 9, 2017

The hatrac service does not implement the OPTIONS method for HTTP.

@kylechard @robes we need to define the scope of this...

OPTIONS request processing

Every resource should support this:

  1. Request headers for CORS pre-flight OPTIONS request
    • Origin: the origin or origins of the page causing the request on the browser (null or space-separated list of origins e.g. https://server1 http://server2:port)
    • Access-Control-Request-Method: the all-caps HTTP method name the browser plans to use with actual request, e.g. GET
    • Access-Control-Request-Headers: comma-separated list of header names the browser plans to send with actual request
  2. Response headers for basic HTTP OPTIONS request
    • Allow: comma-separated list of all-caps HTTP method names supported by the resource (for the current client), e.g Allow: GET,OPTIONS
  3. Response headers for CORS:
    • Access-Control-Allow-Origin: * or null or single origin?
    • Access-Control-Allow-Credentials: true to say we want our cookies sent w/ the cross-origin request
    • Access-Control-Expose-Headers: comma-spearated list of response header names exposed (exposed means the cross-origin client can view the response header content)
      • Default allows: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma
    • Access-Control-Allow-Methods: comma-separated list of all-caps method names
    • Access-Control-Allow-Headers: comma-spearated list of request header names allowed (allowed means the cross-origin client can specify the request header content)
      • Don't need to list implicit ones: Accept, Accept-Language, Content-Language, Content-Type
    • Access-Control-Max-Age: delta seconds as one more more decimal ASCII digits

Extensions to regular request processing

The CORS response headers should actually be included in most responses to cover cases where the browser opportunistically sends the request rather than doing a pre-flight via OPTIONS.

  • Access-Control-Allow-Credentials
  • Access-Control-Allow-Headers if request had Access-Control-Request-headers
  • Access-Control-Allow-Origin says whether this specific response can be shared, also include Origin in the Vary response header if content is restricted!
  • Access-Control-Expose-Headers

Cross-site concerns

  1. We need a service configuration option to actually supply CORS whitelist policies.
  2. We need to actually check Origin headers against our policy on all requests, not just in the new OPTIONS request handler.
  3. We need to decide how many levels of CORS-managed trust we might have in origins:
    • None: behave as in pre-CORS world
    • Public: map our * ACLs into public access in CORS terms?
    • Read-only: only support GET, HEAD, OPTIONS?
    • Full: support all operations as we would from our own origin
@karlcz karlcz added the bug label Mar 9, 2017
@karlcz karlcz self-assigned this Mar 9, 2017
@karlcz karlcz changed the title Need to implement OPTIONS method Need to implement OPTIONS method and CORS Mar 14, 2017
@karlcz
Copy link
Contributor Author

karlcz commented Mar 16, 2017

I'm not seeing any feedback that this is a high priority issue, so we'll park it for now. We need some motivating use cases for how we want CORS to interact with credentials and fine-grained ACLs, including how many levels of trust a server admin might want to express for other origins.

@carlkesselman
Copy link

carlkesselman commented Mar 16, 2017 via email

@karlcz
Copy link
Contributor Author

karlcz commented Mar 16, 2017 via email

@carlkesselman
Copy link

carlkesselman commented Mar 16, 2017 via email

@robes
Copy link
Contributor

robes commented Mar 17, 2017 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants