← Back to team overview

openstack team mailing list archive

Re: Using Nova APIs from Javascript: possible?

 

I see this as a feature, not a drawback. The inability to access portions of the HTTP protocol is there to defend against attacks such as cross site request forgeries. If we suppress that mechanism, we open up a lot of security holes.


On 04/23/2012 06:09 AM, Adrian Smith wrote:
The authentication request returns X-Storage-Url and X-Auth-Token
headers. For the JS client to see them they need to be referenced in
Access-Control-Expose-Headers. As of the last time checked, both these
headers were being stripped from the response before being presented
to JS.

Adrian


On 23 April 2012 10:35, Nick Lothian<nick.lothian@xxxxxxxxx>  wrote:
Hi Adrian,

Good to know this is a known issue.

Why does the client need to see custom headers from the server anyway?
I know the client needs to pass the authorisation header to the server, but
I haven't seen any of the APIs yet that return custom headers. (It's likely
I'm missing them though)

Nick

On Apr 23, 2012 5:40 PM, "Adrian Smith"<adrian@xxxxxxxx>  wrote:
Hi Nick,

I did some work with CORS a few months back [1].

At the time I couldn't get any browser to work properly with CORS so I
just parked the code. The problem was lack of support for the
Access-Control-Expose-Headers header.

According to the Chrome bug report [2] this issue may well be fixed
now so I need to retest.

Adrian

[1]
http://www.mail-archive.com/openstack@xxxxxxxxxxxxxxxxxxx/msg07219.html
[2] http://code.google.com/p/chromium/issues/detail?id=87338


On 23 April 2012 06:19, Nick Lothian<nick.lothian@xxxxxxxxx>  wrote:
Hi,

I've been playing with the Nova APIs from Javascript, and I've run into
a
problem.

The very first thing one needs to do to use the APIs is to get a token.

That requires a POST to the API endpoint. Using curl&  trystack that
looks
like this:

$ curl -k -X 'POST' -v https://nova-api.trystack.org:5443/v2.0/tokens -d
'{"auth":{"passwordCredentials":{"username": "<username>",
"password":"<password>"}}}' -H 'Content-type: application/json'


The Javascript equivalent (using JQuery) is:

     $.ajax({
         url: "https://nova-api.trystack.org:5443/v2.0/tokens";,
         type: 'POST',
         headers: {"Content-Type": "application/json"},
         data:  {"auth":{"passwordCredentials":{"username":"<username>",
"password":"<password>"}}},
         success: function(data) { alert(data); }
     });

That fails because the call is cross-domain, and Nova doesn't support
CORS
(http://en.wikipedia.org/wiki/Cross-origin_resource_sharing).<script>
based
cross-domain requests only supports GET requests, so that doesn't work
either.

I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, but
I'm
really hoping someone can point out something obvious I'm missing here.

Regards
   Nick Lothian

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



Follow ups

References