[tahoe-dev] [tahoe-lafs] #1215: add CORS support
tahoe-lafs
trac at tahoe-lafs.org
Wed Sep 29 18:33:40 UTC 2010
#1215: add CORS support
-------------------------------+--------------------------------------------
Reporter: warner | Owner:
Type: enhancement | Status: new
Priority: major | Milestone: undecided
Component: code-frontend-web | Version: 1.8.0
Keywords: | Launchpad Bug:
-------------------------------+--------------------------------------------
If the webapi client emitted a header like this on every page:
{{{
Access-Control-Allow-Origin: *
}}}
Then, in sufficiently-modern browsers, web pages pulled from arbitrary
third-party sites would be able to perform XHR to the Tahoe webapi server
without interference by the regrettable "same-origin policy".
Clients who want to use this (i.e. web pages from third parties) must do a
slightly different form of XHR than usual: I'm looking at
[http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-
origin-resource-sharing/ this] and [http://softwareas.com/cors-scraping-
and-microformats this] for details.
One quirk to keep in mind is that clients (i.e. those third parties) can
set a flag on their XHR calls to cause the browser to include any cookies
that the tahoe webapi might have set. We all know to not use cookies for
authorization, but once we enable CORS, we should make extra sure to not
add any code which accepts authority information from cookies.
--
Ticket URL: <http://tahoe-lafs.org/trac/tahoe-lafs/ticket/1215>
tahoe-lafs <http://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-dev
mailing list