Implement cross-origin resource sharing (CORS)
jmakeig opened this issue · 3 comments
There's some relatively straightforward HTTP magic that will allow browser clients to access resources on different domains via AJAX. I'd like to be able to configure Access-Control-Allow-Origin
and Access-Control-Allow-Credentials
response headers on an individual resource level as well as globally in my REST services.
See http://www.w3.org/TR/cors/ and https://developer.mozilla.org/En/HTTP_access_control.
Here’s the most basic example with authentication:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>CORS</title>
<script type="text/javascript">
function testCORS() {
var url = "http://localhost:8002/manage/v1/databases/Documents/config?format=json";
if(XMLHttpRequest)
{
var request = new XMLHttpRequest();
if("withCredentials" in request)
{
// Firefox 3.5 and Safari 4
request.open('GET', url, true);
request.withCredentials = "true"
request.onreadystatechange = function() {
console.log(this.responseText);
};
request.send();
}
}
}
</script>
</head>
<body>
<button onclick="testCORS()">CORS</button>
</body>
</html>
Sorry, Justin, but I can't make heads or tails of this comment. I don't see what the CORS example does that involves two origins nor do I understand how it bears on the REST library.
CORS allows you to do cross-domain AJAX without having to resort to something hacky, like JSONP. It would be nice to be able to configure it declaratively in the REST library. The example above illustrates a basic CORS-enabled client code. There are HTTP headers in the request and response that tell the browser to relax the same-origin security policy for XMLHttpRequest.