openstack team mailing list archive

[Jan Drake <jan_drake@xxxxxxxxxxx>]

So, why such a focus on this?  IMO both JSONP and CORS are way too early stage to adopt and the security risks outweigh the rewards.  Usually, I see people doing this to enable mashups across separate providers.

Just curious why the focus/need is perceived in the community?  If this is really because of redirects then we probably have a broken model and/or improper distribution of responsibilities.

Love to know if I'm missing a real use case.  Can help fix model if it is broken.  Have much experience in this area.

IMO no solution should trick the browser.


Jan



On Apr 24, 2012, at 7:05 PM, Luis Gervaso <luis@xxxxxxxxx> wrote:

> The solution until the webservice deliver that headers is:
> 
> Solution 1:
> 
> 1. Put the webservice behind a remote or local proxy
> 2. Apply some a filter (decorator) for each response with the CORS headers (in the proxy) in order to trick the browser
> 
> Solution 2:
> 
> Some time ago I tested it with Chrome (disabling security) and it worked for me
> 
> Solution 3 (really dirty, but works):
> 
> Embedded Flash Proxy
> 
> 
> On Wed, Apr 25, 2012 at 3:09 AM, Nick Lothian <nick.lothian@xxxxxxxxx> wrote:
> Yes, this will work if I know in advance what server I will be connecting too.
> 
> However, it does remove the ability to support any cloud without intervention on the serverside.
> 
> On Apr 25, 2012 2:46 AM, "Joel Semar" <semarjt@xxxxxxxxx> wrote:
> Nick,
> 
> I know you said 'serverless clients' but you have to be serving the js from somewhere right?
> 
> If you are using nginx it can be as simple as:
> 
> location /nova/ {
>    proxy_pass: http://nova-api.trystack.org;
> }
> 
> then you can POST to yourserver/nova/v.02/.  from the browser
> 
> etc.
> (it's just about as simple on apache but you'd have to look it up)
> 
> 
> But then i guess this won't work for you if you are writing some distributable component/plugin/library.
> 
> (sorry if you've already dismissed this option but i thought it worth a shot since it has worked flawlessly for me in the past)
> 
> 
> 
> On Tue, Apr 24, 2012 at 9:49 AM, Sandy Walsh <sandy.walsh@xxxxxxxxxxxxx> wrote:
> 
> 
> On 04/24/2012 11:19 AM, Nick Lothian wrote:
> > JSONP is great, but won't work with POST requests.
> 
> Hmm, good point.
> 
> > I don't quite understand what "Due to the redirect nature of the auth
> > system" means, though.
> >
> > If I use a custom Webkit browser & allow cross domain XMLHttpRequests it
> > works fine - I do a POST to /v2.0/tokens, get the token and then use
> > that. What am I missing?
> 
> The Auth system will give you a token and then a new "management" url
> where the actual commands are issued (the real Nova API endpoint). These
> are often two different systems (domains), so cross-site requests are
> mandatory.
> 
> -S
> 
> 
> 
> > Nick
> >
> > On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh <sandy.walsh@xxxxxxxxxxxxx
> > <mailto:sandy.walsh@xxxxxxxxxxxxx>> wrote:
> >
> >     Due to the redirect nature of the auth system we may need JSONP support
> >     for this to work.
> >
> >
> >
> >     _______________________________________________
> >     Mailing list: https://launchpad.net/~openstack
> >     Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> >     <mailto:openstack@xxxxxxxxxxxxxxxxxxx>
> >     Unsubscribe : https://launchpad.net/~openstack
> >     More help   : https://help.launchpad.net/ListHelp
> >
> >
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~openstack
> > More help   : https://help.launchpad.net/ListHelp
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
> 
> 
> 
> -- 
> Cheers,
> 
> Joel
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
> 
> 
> 
> 
> -- 
> -------------------------------------------
> Luis Alberto Gervaso Martin
> Woorea Solutions, S.L
> CEO & CTO
> mobile: (+34) 627983344
> luis@xxxxxxxxx
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp