Opened at 2010-09-29T18:33:40Z
Last modified at 2013-09-14T17:40:22Z
#1215 new enhancement
add CORS support — at Initial Version
| Reported by: | warner | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | undecided |
| Component: | code-frontend-web | Version: | 1.8.0 |
| Keywords: | security http same-origin cors websec | Cc: | zooko, vikarti@… |
| Launchpad Bug: |
Description
If the webapi client emitted a header like this on every page:
Access-Control-Allow-Origin: *
Then, in sufficiently-modern browsers, web pages pulled from arbitrary third-party sites would be able to perform XHR to the Tahoe webapi server without interference by the regrettable "same-origin policy".
Clients who want to use this (i.e. web pages from third parties) must do a slightly different form of XHR than usual: I'm looking at this and this for details.
One quirk to keep in mind is that clients (i.e. those third parties) can set a flag on their XHR calls to cause the browser to include any cookies that the tahoe webapi might have set. We all know to not use cookies for authorization, but once we enable CORS, we should make extra sure to not add any code which accepts authority information from cookies.
