No title Revision 336165353037 (Mon Nov 28 2011 at 19:59) - Diff Link to this snippet: https://friendpaste.com/4q1zeNUEtPFS7XbioPYYzM Embed: manni perldoc borland colorful default murphy trac fruity autumn bw emacs pastie friendly Show line numbers Wrap lines 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667guidelines : ----------- rules should be based on host- rules depending on the resource : - server : rules defined in .ini - db : rules defined in .db- default cors policy (open for discussion) - allows credential = false - cors enabled- cors can be disabled globallyrules definiton : global wide[httpd]cors_enabled = true[origins]domain.tld = http://origin.tld, https://origin.tld[http://origin.tld]allow_methods = GET, POSTallow_headers = x-couchdb-...allow_credentials = false[https://origin.tld]allow_methods = GET, PUT, POST, DELETEallow_headers = x-couchdb-...allow_credentials = trueallow_server_admins = truemax-age = 36000on the db _security object :{ "origins": { "domain.tld": [ {"http://origin.tld": { "allow_methods": "GET, POST",...} ] }}work flow (run for request handling, and again after any rewrite): for /db resources, including system dbs, use the db _security objectfor all other resources (e.g. /_uuids), or when there is no _security object, use the ini configurationis the 'origins' section empty or non-existant ?yes -> is admin party set ? yes -> return "*" , credentials false (with a good caching policy) no -> stopno -> run the following steps [apply cors steps] is Host in 'origins' ? yes -> is Origin in 'origins[Host]' ? yes -> set the cors headers based on 'origins[Host]' no -> fail no -> <bikeshed defaults>