-
Improvement
-
Resolution: Fixed
-
High
-
2013-03-11
-
None
Currently we allow "simple" CORS requests as per MBS-2979. These don't use authentication, additional headers and use simple Content-type. They don't need any preflights and work fine.
Some clients make preflight requests though. Sometimes these are bugs, sometimes they support a wider range of servers with the same code.
One of these clients currently not working unpatched is swagger https://developers.helloreverb.com/swagger/ (see MBS-5307)
We should handle preflight requests as per http://www.w3.org/TR/cors/#resource-preflight-requests
(nice graphic in http://www.html5rocks.com/static/images/cors_server_flowchart.png)
We still don't allow submitting data per CORS. So no authentication/credentials and only the GET method.
Adding this feature wouldn't be a problem, but a potential security issue (malicious sites use a user-login)
[MBS-6033] Allow CORS preflights
Not supporting CORS on ws/2 is blocking migrating my ISRC submission tool: https://www.kepstin.ca/magicisrc/ from ws/1 to ws/2.
In this case, since it's an authorized (could include oauth bearer token) POST request with an application/xml body, the OPTIONS response for the preflight should include:
Access-Control-Allow-Method: POST, GET, OPTIONS
Access-Control-Allow-Headers: Authorization, Content-Type
The review linked above is no longer open, so I am re-opening the ticket. If there is an open review, please link to it here and change the status back to review submitted.
Adding complete OPTIONS support (MBS-6072) is now a requirement for merging preflight support.
Both will probably be implemented in the same (role) module.
When implementing non-CORS OPTIONS we should add tests to make sure these don't interfere with each other. I fear they do, though.
That would mean we have to implement our own. (Plack::Middleware::Allow?)
As per ocharles' not on PR #63 it might be wise to update the implemenatation to use Plack::Middleware
That would make upgrading to allow any OPTIONS request easier (requestet in this PR).
There are these components I found:
For testing purposes I prepared an example using WS/2 from musicbrainz.org (not working):
http://mbsandbox.org/~jonnyjd/swagger2/#!/ws2/lookupArtistById_get_0
and one using WS/2 from my mbsandbox (working):
http://mbsandbox.org/~jonnyjd/swagger3/#!/ws2/lookupArtistById_get_0
Both do load the API, but the swagger2 example won't give a result when clicking on the "Try it" button.
The swagger3 version (with the patch) will give a result. (Might be an error message if the mbid is wrong)
You can just give any string (like "blub") as mbid. The main difference is if the server returns a result at all, not what the result is (error message, actual entity).
I also use a patched version of swagger (without a number appended), that one works with mb.o already.
https://github.com/metabrainz/musicbrainz-server/pull/1082