Open Stack

Sorry for bringing up an old thread but since the question was asked I thought someone might find this CORS middleware module I worked on useful.

https://github.com/adrian/swift/tree/cors

What it does is examine each request, decide if it's cross origin or not and then deal with it appropriately (i.e. is it a pre-flight request or an actual request). In theory (and outside a browser) it works but the problem (and why I've parked any further work on it for now) is that none of the browsers out there today fully support the CORS specification. They can deal with simple requests but when the server returns non-standard headers (such as X-Auth-Token and X-Storage-Service) the browser hides them from the client Javascript. The browser should whitelist all headers listed in Access-Control-Expose-Headers and pass them on to the Javascript. Unfortunately this isn't happening. I've tested the latest versions of Chrome, Firefox and IE.

There has been some reference to this problem on various projects so for now I'm tracking their progress.

http://code.google.com/p/chromium/issues/detail?id=87338
https://bugzilla.mozilla.org/show_bug.cgi?id=608735
https://bugs.webkit.org/show_bug.cgi?id=41210

When I last tested (1-Feb) Access-Control-Expose-Headers was still being ignored.

I'm not holding this code out as being complete or working. I just thought it was worth sharing where I got to and what my findings were.

Adrian


-----Original Message-----
From: openstack-bounces+adrian_f_smith=dell.com at lists.launchpad.net [mailto:openstack-bounces+adrian_f_smith=dell.com at lists.launchpad.net] On Behalf Of Brian Waldon
Sent: Sunday, January 08, 2012 11:11 PM
To: Paul Querna
Cc: openstack at lists.launchpad.net
Subject: Re: [Openstack] Cross-Origin Resource Sharing & OpenStack APIs

Thanks for bringing this to our attention, Paul. It is extremely important to design our APIs to be as consumable as possible. I am personally more involved in Nova and Glance, but I would still love to try to fit these headers into each of their APIs. We are in the process of drafting new API specs for both right now (Glance v2 might actually be finalized), but I will work with you to see what we can do.

Thanks!
Brian Waldon


On Jan 6, 2012, at 3:26 PM, Paul Querna wrote:

> Hello,
> 
> I was wondering what people think about adding Cross-Origin Resource 
> Sharing Headers to all OpenStack APIs by default.
> 
> Essentially, this would allow people to make pure frontend javascript 
> clients, which would could be hosted on domains different than the
> API:
>  http://www.w3.org/TR/cors/
> 
> More examples of how to use this are here:
>  https://developer.mozilla.org/En/HTTP_access_control
> 
> This boils down to a few changes in OpenStack implementations, mostly 
> it is when an OPTIONS request is sent to the APIs, respond with a 200, 
> and send something like following headers:
> 
> Access-Control-Allow-Origin: *
> Access-Control-Allow-Methods: GET, OPTIONS,POST,PUT,DELETE
> Access-Control-Allow-Headers: X-Auth-Token
> Access-Control-Max-Age: 1728000
> 
> This would especially be helpful when working against Keystone, as it 
> would let you make applications where the user is prompted for their 
> username & password, and then their token is fetched purely from 
> client side javascript.
> 
> The only concern of course is potential security implications.
> However, I've not been able to think of a viable threat model for any 
> OpenStack APIs at this time.
> 
> Thoughts?
> 
> Thanks,
> 
> Paul
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack at lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp