oslo.middleware

OpenStack APIs should support CORS to be usable from Javascript

Bug #987044 reported by nickl on 2012-04-22

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	oslo.middleware	Fix Released	Wishlist	Richard Jones	oslo.middleware 0.2.0

Bug Description

OpenStack does not support CORS (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing).

That means that any API which requires a POST request cannot be used from Javascript in a browser unless it is served from the same domain and port as the API is served from.

There doesn't seem to be a reason for this - the APIs are specifically designed to be called from other domains, so I suspect this is just an oversight.

Here is sample code that I think should be supported. It fails on the OPTIONS request (which occurs with Cross Domain XMLHttpRequests to check that the server supports them)

<html>

function go() {
osuser = "username"
ospassword = "password"

params = '{"auth":{"passwordCredentials":{"username":"'+osuser+'", "password":"'+ospassword+'"}}}'

    $.ajax({
        url: "nova-api.trystack.org:5443/v2.0/tokens",
        type: 'POST',
        headers: {"Content-Type": "application/json"},
        data: params,
        success: function(data) { alert(data); }
    });
}

</script>

</body>

</html>

Revision history for this message

Brian Waldon (bcwaldon) wrote on 2012-04-23:

I'm not sure this is a bug, as we didn't make 'ability to interact through client-side javascript' an explicit requirement of the API design.

CORS isn't something I'm familiar with, so can you first help me understand why any changes need to be made at all? From my perspective, it appears that any client should be able to use our API from any domain with the proper credentials. Is that false?

Changed in nova:
status:	New → Incomplete

Revision history for this message

nickl (nick-lothian) wrote on 2012-04-24:

> From my perspective, it appears that any client should be able to use our API from any domain with the proper credentials. Is that false?

Yes, this is false.

HTTP POST's need to be done using the browser's XMLHTTPRequest mechanism. Generally that isn't allowed to do cross-domain requests, unless explicitly allowed by CORS.

The Mozilla docs are quite good: https://developer.mozilla.org/en/http_access_control

I asked on the mailing list, and Adrian Smith said he had looked at this in the past: https://lists.launchpad.net/openstack/msg10366.html

Apparently a browser bug was stopping it working correctly, but this looks to have been corrected.

Revision history for this message

Dolph Mathews (dolph) wrote on 2012-04-24:

I would assume that this is a deployment concern, not a bug. If you deploy all services behind the same protocol, hostname, port, etc, with httpd/nginx virtual hosts you should be able to satisfy any paranoid browsers, no?

Revision history for this message

nickl (nick-lothian) wrote on 2012-04-24:

> with httpd/nginx virtual hosts you should be able to satisfy any paranoid browsers, no?

Whilst that is factually correct, there is an entire set of usecases it misses.

There entire purpose of webservice APIs is to allow them to be called externally, without having to host services yourself.

People should be able to write clients (think dashboard-type tools) that connect from 3rd party sites.

Revision history for this message

Dolph Mathews (dolph) wrote on 2012-04-24:

If you want to deploy with CORS headers, OpenStack is certainly not preventing you from doing so.

(Or perhaps I'm not clear on what the unsolvable use case is here?)

Revision history for this message

nickl (nick-lothian) wrote on 2012-04-25:

Firstly, making CORS work is non-trivial. I wouldn't know where to start - you don't just turn it on in Apache/Ngnix - it requires changes to the Python middleware.

Secondly, I'd like it to work against *any* OpenStack cloud, rather than a customized one. I can write tools in Python, Java etc - why not Javascript.

Toolmakers is valid audience, and one OpenStack should support IMHO

Thierry Carrez (ttx) on 2012-06-07

summary:	- OpenStack APIs cannot be used from Javascript + OpenStack APIs should support CORS to be usable from Javascript
Changed in nova:
importance:	Undecided → Wishlist
status:	Incomplete → Confirmed

Chmouel Boudjnah (chmouel) on 2013-02-17

Changed in nova:
assignee:	nobody → Chmouel Boudjnah (chmouel)

Chmouel Boudjnah (chmouel) on 2013-08-06

Changed in nova:
status:	Confirmed → Invalid

Revision history for this message

nickl (nick-lothian) wrote on 2013-08-06:

Why is it invalid?

Revision history for this message

Chmouel Boudjnah (chmouel) wrote on 2013-08-06:

Apologies I should have explained this should not be in nova but in oslo-incubator, I should probably mentionned that it was waiting in https://review.openstack.org/#/c/21958/ will fix the bug report.

affects:	nova → oslo
Changed in oslo:
status:	Invalid → In Progress

OpenStack Infra (hudson-openstack) on 2013-08-07

Changed in oslo:
assignee:	Chmouel Boudjnah (chmouel) → Ondergetekende (kvdveer)

Doug Hellmann (doug-hellmann) on 2014-07-03

Changed in oslo:
status:	In Progress → Triaged

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2014-09-05:

Moved to oslo.middleware instead of oslo-incubator, since we now have a library for middleware classes.

Changed in oslo.middleware:
importance:	Undecided → Wishlist
status:	New → Triaged
no longer affects:	oslo-incubator
Changed in oslo.middleware:
milestone:	none → next-kilo