Revision 356230613134 () - Diff

Link to this snippet: https://friendpaste.com/4q1zeNUEtPFS7XbioPYYzM
Embed:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
es : 
----------

- rules shoudl be based on host .
- rules depending on the resource :
  - server : rules defined in .ini
  - db : rules defined in .db

- default cors policy : 
    - allows credential = false
    - cors enabled
- cors can be disabled globaly



rules definiton : 

global wide

[httpd]
cors_enabled = true

[origins]
domain.tld = http://origin.tld, https://origin.tld

[http://origin.tld]
allow_methods = GET, POST
allow_headers = x-couchdb-...
allow_credentials = false


[https://origin.tld]
allowed_methods = GET, PUT, POST, DELETE
allow_headers = x-couchdb-...
allow_credentials = true
allow_server_admins = true
max-age = 36000


ond db _security object :


{
    "origins": {
        "domain.tld": [
            {"http://origin.tld": { "allow_methods": ["GET", "POST"] ,
...}
        ]
    }
}



work flow : 

is origins list not empty in ini 
no -> is admin set ? 
  yes -> stop 
  no -> return "*" , credentials false (with a good caching policy) 
yes -> 

is origin in .ini ? 
yes -> use cors rules for it 
no -> are we on a db resource ? 
  yes -> are origins in db sec obj 
   
yes -> 
   is origin in list ? 
   no -> stop 
   yes -> ...