[Openstack] Using Nova APIs from Javascript: possible?
Adam Young
ayoung at redhat.com
Mon Apr 23 12:50:17 UTC 2012
I see this as a feature, not a drawback. The inability to access
portions of the HTTP protocol is there to defend against attacks such as
cross site request forgeries. If we suppress that mechanism, we open up
a lot of security holes.
On 04/23/2012 06:09 AM, Adrian Smith wrote:
> The authentication request returns X-Storage-Url and X-Auth-Token
> headers. For the JS client to see them they need to be referenced in
> Access-Control-Expose-Headers. As of the last time checked, both these
> headers were being stripped from the response before being presented
> to JS.
>
> Adrian
>
>
> On 23 April 2012 10:35, Nick Lothian<nick.lothian at gmail.com> wrote:
>> Hi Adrian,
>>
>> Good to know this is a known issue.
>>
>> Why does the client need to see custom headers from the server anyway?
>> I know the client needs to pass the authorisation header to the server, but
>> I haven't seen any of the APIs yet that return custom headers. (It's likely
>> I'm missing them though)
>>
>> Nick
>>
>> On Apr 23, 2012 5:40 PM, "Adrian Smith"<adrian at 17od.com> wrote:
>>> Hi Nick,
>>>
>>> I did some work with CORS a few months back [1].
>>>
>>> At the time I couldn't get any browser to work properly with CORS so I
>>> just parked the code. The problem was lack of support for the
>>> Access-Control-Expose-Headers header.
>>>
>>> According to the Chrome bug report [2] this issue may well be fixed
>>> now so I need to retest.
>>>
>>> Adrian
>>>
>>> [1]
>>> http://www.mail-archive.com/openstack@lists.launchpad.net/msg07219.html
>>> [2] http://code.google.com/p/chromium/issues/detail?id=87338
>>>
>>>
>>> On 23 April 2012 06:19, Nick Lothian<nick.lothian at gmail.com> wrote:
>>>> Hi,
>>>>
>>>> I've been playing with the Nova APIs from Javascript, and I've run into
>>>> a
>>>> problem.
>>>>
>>>> The very first thing one needs to do to use the APIs is to get a token.
>>>>
>>>> That requires a POST to the API endpoint. Using curl& trystack that
>>>> looks
>>>> like this:
>>>>
>>>> $ curl -k -X 'POST' -v https://nova-api.trystack.org:5443/v2.0/tokens -d
>>>> '{"auth":{"passwordCredentials":{"username": "<username>",
>>>> "password":"<password>"}}}' -H 'Content-type: application/json'
>>>>
>>>>
>>>> The Javascript equivalent (using JQuery) is:
>>>>
>>>> $.ajax({
>>>> url: "https://nova-api.trystack.org:5443/v2.0/tokens",
>>>> type: 'POST',
>>>> headers: {"Content-Type": "application/json"},
>>>> data: {"auth":{"passwordCredentials":{"username":"<username>",
>>>> "password":"<password>"}}},
>>>> success: function(data) { alert(data); }
>>>> });
>>>>
>>>> That fails because the call is cross-domain, and Nova doesn't support
>>>> CORS
>>>> (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing).<script>
>>>> based
>>>> cross-domain requests only supports GET requests, so that doesn't work
>>>> either.
>>>>
>>>> I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, but
>>>> I'm
>>>> really hoping someone can point out something obvious I'm missing here.
>>>>
>>>> Regards
>>>> Nick Lothian
>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~openstack
>>>> Post to : openstack at lists.launchpad.net
>>>> Unsubscribe : https://launchpad.net/~openstack
>>>> More help : https://help.launchpad.net/ListHelp
>>>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack at lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
More information about the Openstack
mailing list