hockeypuck

request for CORS support

Bug #1222583 reported by Geoffrey Irving
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
hockeypuck
Triaged
Medium
Unassigned

Bug Description

Can we teach hockeypuck keyservers to speak the CORS protocol (https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) so that client Javascript code can access keyservers directly? Since keyserver data is entirely public, a completely open policy should be fine, which would mean adding the http header

    Access-Control-Allow-Origin: *

Background: I am writing a Javascript web of trust visualizer. This change would avoid the need for a proxy server to add the CORS header.

Tags: enhancement
Revision history for this message
Geoffrey Irving (irving-naml) wrote :

By the way, if the concept is acceptable I'm happy to write a draft patch. The patch is trivial if complete openness is fine, a bit more delicate if only certain requests are allowed.

Revision history for this message
Casey Marshall (cmars) wrote :

I think this is a fantastic idea. I'd like to implement this by making it a configuration file option. That way the server admin can decide what CORS policy is most appropriate, and the package maintainer can choose the best default setting for the distribution. I agree wildcard is appropriate for a public keyserver, but I do not want to hard-code this.

Changed in hockeypuck:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Geoffrey Irving (irving-naml) wrote :

Would you want a global option or detailed configuration per kind of request? A global options seems reasonable, although we still should document all functions that expose interfaces as being public data only, since a config option that turns on a security hole is no good. Also, I don't think we should support anything other than nothing and *.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.