[Mulgara-general] CORS headers
Paul Gearon
gearon at ieee.org
Thu Sep 10 13:09:12 UTC 2009
On Thu, Sep 10, 2009 at 8:31 AM, Gregg Reynolds <dev at mobileink.com> wrote:
> Once I've done a little more experimenting with configurations I'll submit a
> patch, but in the meantime, in case anybody is interested, here's what you
> need to do to set the Access-Control-Allow-Origin header, per the CORS
> spec. In
> src/jar/querylang/java/org/mulgara/protocol/http/ProtocolServlet.java stick
> something like the following in doGet:
>
> String CORS_Origin = req.getHeader("Origin");
> if (CORS_Origin.startsWith("http://localhost") ||
> CORS_Origin.startsWith("null")) {
> resp.setHeader("Access-Control-Allow-Origin", CORS_Origin);
> }
"localhost" isn't really appropriate here, as there are lots of ways
to talk to the current server.
The two things I can think of are to check the session, or else to go
through our list of server aliases. The list of aliases makes me
uncomfortable for some reason (lack of authority in this list), though
it's probably OK. The session is worse, since cookies may be off, or a
browser could go off to another site which then tries to go back to
the Mulgara server.
The latter makes me wonder.... does this sort of configuration allow
for an AJAX application from some third party to run queries against
the data store? This is an important use case.
Paul
More information about the Mulgara-general
mailing list