← Back to team overview

openstack team mailing list archive

Re: Cross-Origin Resource Sharing & OpenStack APIs

 

Sorry for bringing up an old thread but since the question was asked I thought someone might find this CORS middleware module I worked on useful.

https://github.com/adrian/swift/tree/cors

What it does is examine each request, decide if it's cross origin or not and then deal with it appropriately (i.e. is it a pre-flight request or an actual request). In theory (and outside a browser) it works but the problem (and why I've parked any further work on it for now) is that none of the browsers out there today fully support the CORS specification. They can deal with simple requests but when the server returns non-standard headers (such as X-Auth-Token and X-Storage-Service) the browser hides them from the client Javascript. The browser should whitelist all headers listed in Access-Control-Expose-Headers and pass them on to the Javascript. Unfortunately this isn't happening. I've tested the latest versions of Chrome, Firefox and IE.

There has been some reference to this problem on various projects so for now I'm tracking their progress.

http://code.google.com/p/chromium/issues/detail?id=87338
https://bugzilla.mozilla.org/show_bug.cgi?id=608735
https://bugs.webkit.org/show_bug.cgi?id=41210

When I last tested (1-Feb) Access-Control-Expose-Headers was still being ignored.

I'm not holding this code out as being complete or working. I just thought it was worth sharing where I got to and what my findings were.

Adrian


-----Original Message-----
From: openstack-bounces+adrian_f_smith=dell.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+adrian_f_smith=dell.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Brian Waldon
Sent: Sunday, January 08, 2012 11:11 PM
To: Paul Querna
Cc: openstack@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Openstack] Cross-Origin Resource Sharing & OpenStack APIs

Thanks for bringing this to our attention, Paul. It is extremely important to design our APIs to be as consumable as possible. I am personally more involved in Nova and Glance, but I would still love to try to fit these headers into each of their APIs. We are in the process of drafting new API specs for both right now (Glance v2 might actually be finalized), but I will work with you to see what we can do.

Thanks!
Brian Waldon


On Jan 6, 2012, at 3:26 PM, Paul Querna wrote:

> Hello,
> 
> I was wondering what people think about adding Cross-Origin Resource 
> Sharing Headers to all OpenStack APIs by default.
> 
> Essentially, this would allow people to make pure frontend javascript 
> clients, which would could be hosted on domains different than the
> API:
>  http://www.w3.org/TR/cors/
> 
> More examples of how to use this are here:
>  https://developer.mozilla.org/En/HTTP_access_control
> 
> This boils down to a few changes in OpenStack implementations, mostly 
> it is when an OPTIONS request is sent to the APIs, respond with a 200, 
> and send something like following headers:
> 
> Access-Control-Allow-Origin: *
> Access-Control-Allow-Methods: GET, OPTIONS,POST,PUT,DELETE
> Access-Control-Allow-Headers: X-Auth-Token
> Access-Control-Max-Age: 1728000
> 
> This would especially be helpful when working against Keystone, as it 
> would let you make applications where the user is prompted for their 
> username & password, and then their token is fetched purely from 
> client side javascript.
> 
> The only concern of course is potential security implications.
> However, I've not been able to think of a viable threat model for any 
> OpenStack APIs at this time.
> 
> Thoughts?
> 
> Thanks,
> 
> Paul
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


References