Skip to content

Instantly share code, notes, and snippets.

@max-mapper

max-mapper/cors.js

Created March 26, 2011 18:56
Show Gist options
  • Save max-mapper/888539 to your computer and use it in GitHub Desktop.
Save max-mapper/888539 to your computer and use it in GitHub Desktop.
Download ZIP
couchdb cors _show function, put in the shows folder
Raw
cors.js
function(head, req){
return {
"headers": {
"Access-Control-Allow-Origin": "*"
}
}
}
Raw
rewrites.json
[
{
"from": "",
"to": "_show/cors",
"method": "OPTIONS"
}
]
@jhs
Copy link

jhs commented May 14, 2011

This is not going to work. The CORS policy needs to be specified in a database-wide way because that is how access-control works. The validate_doc_update() will want to see the req.headers.Origin value so it can decide about cross-origin permission. In other words, whether a request was cross-origin can be a factor in the validator policy.

Furthermore, OPTIONS must be supported for any resource that couch serves, so it needs support from couch http to cover all possible requests. Maybe you could bluff with _show and _update but that spins up a couchjs for every http query.

I am working on a couchdb plugin to handle this natively based on the db/_security object. Let me know if you want to try it out.

@jhs
Copy link

jhs commented May 14, 2011

My new idea is you put /db/_security

{ "readers": ["blah"]
, "admins": ["blah"]
, "cors": { "origins": [ "http://some.foreign.origin.com", "http://somecouch.iriscouch.com:5984" ]
             }
}

And couch will support an OPTIONS query for any resource in that database, returning the headers it needs based on the client Origin

your validate_doc_update() can also decide about cross-origin updates, based on req.headers.Origin vs. sec.cors.origins

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment