W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

[cors] Unrestricted access

From: Jaka Jančar <jaka@kubje.org>
Date: Tue, 13 Jul 2010 12:35:02 +0200
Message-ID: <AANLkTik5CsN8lLgQGwLVJUPkFwdUb9ugVe9cQyfn4v7o@mail.gmail.com>
To: public-webapps@w3.org
Our API host is meant to be accessed only via XMLHttpRequest. No cookies are
involved, no "classic" web assumptions made. Every request must be
separately authenticated. Any request can be sent. The entire response can
be read. For native clients, this presents no problem. To allow this to
happen from browsers, our responses are becoming increasingly complex and
large:

    public function handleRequest(Request $request)
    {
        $response = parent::handleRequest($request);

        $response->setHeader('Access-Control-Allow-Origin', '*');

        return $response;
    }

    public function handleOptions(Request $request)
    {
        $response = parent::handleOptions($request);

        $response->setHeader('Access-Control-Allow-Methods',
$response->getHeader('Allow'));
        $response->setHeader('Access-Control-Allow-Headers',
$request->getHeader('Access-Control-Request-Headers'));
        $response->setHeader('Access-Control-Max-Age', '60');

        return $response;
    }

To this I should now add an Access-Control-Expose-Headers header with the
names of all of the headers in the response, minus those in the whitelist.
Perhaps there are other things that I forgot.

What I'd like is a global (per-host) way to disable these limitations all at
once, giving XHR unrestricted access to the host, just like native apps have
it.
Received on Tuesday, 13 July 2010 10:35:30 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:39 GMT