Revision 336165353037 () - Diff

Link to this snippet: https://friendpaste.com/4q1zeNUEtPFS7XbioPYYzM
Embed:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
guidelines :
----------

- rules should be based on host
- rules depending on the resource :
- server : rules defined in .ini
- db : rules defined in .db

- default cors policy (open for discussion)
- allows credential = false
- cors enabled
- cors can be disabled globally


rules definiton :

global wide

[httpd]
cors_enabled = true

[origins]
domain.tld = http://origin.tld, https://origin.tld

[http://origin.tld]
allow_methods = GET, POST
allow_headers = x-couchdb-...
allow_credentials = false


[https://origin.tld]
allow_methods = GET, PUT, POST, DELETE
allow_headers = x-couchdb-...
allow_credentials = true
allow_server_admins = true
max-age = 36000


on the db _security object :
{
"origins": {
"domain.tld": [
{"http://origin.tld": { "allow_methods": "GET, POST",
...}
]
}
}


work flow (run for request handling, and again after any rewrite):

for /db resources, including system dbs, use the db _security object
for all other resources (e.g. /_uuids), or when there is no _security object, use the ini configuration
is the 'origins' section empty or non-existant ?
yes -> is admin party set ?
yes -> return "*" , credentials false (with a good caching policy)
no -> stop
no ->
run the following steps [apply cors steps]
is Host in 'origins' ?
yes ->
is Origin in 'origins[Host]' ?
yes ->
set the cors headers based on 'origins[Host]'
no -> fail
no ->
<bikeshed defaults>