openstack team mailing list archive

Thread
Date

Cross-Origin Resource Sharing & OpenStack APIs

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Paul Querna <pquerna@xxxxxxxxxx>
Date: Fri, 6 Jan 2012 15:26:48 -0800

Hello,

I was wondering what people think about adding Cross-Origin Resource
Sharing Headers to all OpenStack APIs by default.

Essentially, this would allow people to make pure frontend javascript
clients, which would could be hosted on domains different than the
API:
  http://www.w3.org/TR/cors/

More examples of how to use this are here:
  https://developer.mozilla.org/En/HTTP_access_control

This boils down to a few changes in OpenStack implementations, mostly
it is when an OPTIONS request is sent to the APIs, respond with a 200,
and send something like following headers:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, OPTIONS,POST,PUT,DELETE
Access-Control-Allow-Headers: X-Auth-Token
Access-Control-Max-Age: 1728000

This would especially be helpful when working against Keystone, as it
would let you make applications where the user is prompted for their
username & password, and then their token is fetched purely from
client side javascript.

The only concern of course is potential security implications.
However, I've not been able to think of a viable threat model for any
OpenStack APIs at this time.

Thoughts?

Thanks,

Paul

Follow ups

Re: Cross-Origin Resource Sharing & OpenStack APIs
From: Brian Waldon, 2012-01-08