OpenStack APIs should support CORS to be usable from Javascript
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.middleware |
Fix Released
|
Wishlist
|
Richard Jones |
Bug Description
OpenStack does not support CORS (http://
That means that any API which requires a POST request cannot be used from Javascript in a browser unless it is served from the same domain and port as the API is served from.
There doesn't seem to be a reason for this - the APIs are specifically designed to be called from other domains, so I suspect this is just an oversight.
Here is sample code that I think should be supported. It fails on the OPTIONS request (which occurs with Cross Domain XMLHttpRequests to check that the server supports them)
<html>
<body>
<button onclick="go()">Try It</button>
<script src="http://
<script type="text/
function go() {
osuser = "username"
ospassword = "password"
params = '{"auth"
$.ajax({
url: "nova-api.
type: 'POST',
headers: {"Content-Type": "application/
data: params,
success: function(data) { alert(data); }
});
}
</script>
</body>
</html>
summary: |
- OpenStack APIs cannot be used from Javascript + OpenStack APIs should support CORS to be usable from Javascript |
Changed in nova: | |
importance: | Undecided → Wishlist |
status: | Incomplete → Confirmed |
Changed in nova: | |
assignee: | nobody → Chmouel Boudjnah (chmouel) |
Changed in nova: | |
status: | Confirmed → Invalid |
Changed in oslo: | |
assignee: | Chmouel Boudjnah (chmouel) → Ondergetekende (kvdveer) |
Changed in oslo: | |
status: | In Progress → Triaged |
Changed in oslo.middleware: | |
assignee: | nobody → Richard Jones (r1chardj0n3s) |
Changed in oslo.middleware: | |
status: | Triaged → In Progress |
Changed in oslo.middleware: | |
status: | Fix Committed → Fix Released |
I'm not sure this is a bug, as we didn't make 'ability to interact through client-side javascript' an explicit requirement of the API design.
CORS isn't something I'm familiar with, so can you first help me understand why any changes need to be made at all? From my perspective, it appears that any client should be able to use our API from any domain with the proper credentials. Is that false?