api-design-guide icon indicating copy to clipboard operation
api-design-guide copied to clipboard

Published 20 hours ago verified publisher icon CiscoDevNet

CSR1000v REST API Fails To Meet Section 3 Guidelines, Namely 3.5.1.9

Open ronnievsmith opened this issue 8 years ago • 6 comments

Attempts at XHR/AJAX to the REST API fail due to CORS Reason: CORS header ‘Access-Control-Allow-Origin’ missing.

3.5.1.9 A service MUST support CORS simple and preflight request flows. Services SHOULD return "**" as the Access-Control-Allow-Origin header, unless the request is accompanied by an Origin header, in which case the service SHOULD return an Access-Control-Allow-Origin header with a value equal to that of the received Origin header. Services MUST NOT return an access-control-allow-credentials header in any HTTP response.

ronnievsmith avatar Dec 06 '16 05:12 ronnievsmith

were those requests preflighted? Some servers don't respond with the CORS headers unless they think it's required to.

asgs avatar Mar 24 '17 17:03 asgs

Web server must respond with "Access-Control-Allow-Origin: *" or the XHR will fail every time. "Preflight" really has nothing to do with this. Am I wrong? I got XHR working with my CSR (on virtual box on my laptop) but only after installing a CORS Everywhere/CORS anywhere browser hack.

On Fri, Mar 24, 2017 at 12:05 PM, asgs [email protected] wrote:

were those requests preflighted https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests? Some servers don't respond with the CORS headers.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/CiscoDevNet/api-design-guide/issues/1#issuecomment-289082736, or mute the thread https://github.com/notifications/unsubscribe-auth/AMKS--O4vvS5GKOO1W2keVVU9r_fWao-ks5ro_fKgaJpZM4LFCuy .

--

  • Ron Royston (504) 722-8412 https://rack.pub

ronnievsmith avatar Mar 24 '17 17:03 ronnievsmith

you should post the complete XHR dump to see what's going on.

asgs avatar Mar 24 '17 17:03 asgs

I know what's going on because I've spent the time and effort to utilize the REST interface. Your NGINX server is locked down (the NGINX credentials in CSR1000v are not published/available). It simply needs to have that 1 parameter either set, or configurable to be set on the web SERVER (in IOS Web management case, NGINX).

https://github.com/rhroyston/intrest/blob/master/script.js

See line 758 "function getToken(deviceId)" also line 882 "function httpReq( method, host, path, token)" on my intREST project on github. It's just vanilla XHR with minimal options/headers set.

BTW, I'm a freelance CCIE#6824 and looking for work (not employment). Why don't you hire me to flesh out some implementation guidelines or maybe an official Cisco intREST browser framework?

https://rack.pub

On Fri, Mar 24, 2017 at 12:59 PM, A.S. Gowri Sankar < [email protected]> wrote:

you should post the complete XHR dump to see what's going on.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/CiscoDevNet/api-design-guide/issues/1#issuecomment-289099529, or mute the thread https://github.com/notifications/unsubscribe-auth/AMKS-4tOma1usoL9bogeXzpzM6yORI1_ks5rpARxgaJpZM4LFCuy .

--

  • Ron Royston (504) 722-8412 https://rack.pub

ronnievsmith avatar Mar 24 '17 18:03 ronnievsmith

well, you got it all figured out. The ways the XHRs are constructed look right. So it's a setting that any fronting webserver exposes, that need to be set.

By the way, I'm no way related to Cisco nor this particular GitHub project. I just randomly happen to visit this project because I was looking for information on SCIM implementation (from Cisco) and notice that one issue that was open (or ever opened) here. Thought I'd do something about it.

Best wishes for your future work!

asgs avatar Mar 24 '17 18:03 asgs

Got it. Yes, it's a setting on the Web server to allow CORS that's missing / the issue. Curl works fine (becuase it does not have the CORS security restrictions of browsers). I got it working and it's pretty slick. I'm on other paying projects at the moment and had to put intREST on the back burner for now.

BTW: I'll never be an employee again - I did that for 20 years. I work for me now. :-)

On Fri, Mar 24, 2017 at 1:51 PM, A.S. Gowri Sankar <[email protected]

wrote:

well, you got it all figured out. The ways the XHRs are constructed look right. So it's a setting that any fronting webserver would have to be set.

By the way, I'm no way related to Cisco nor this particular GitHub project. I just randomly happen to visit this project because I was looking for information on SCIM implementation (from Cisco) and notice that one issue that was open (or ever opened) here. Thought I'd do something about it.

Best wishes for your future employment!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/CiscoDevNet/api-design-guide/issues/1#issuecomment-289113041, or mute the thread https://github.com/notifications/unsubscribe-auth/AMKS-x5Z1PzjZ4t93ESj-AEUJFUDEYbKks5rpBCdgaJpZM4LFCuy .

--

  • Ron Royston (504) 722-8412 https://rack.pub

ronnievsmith avatar Mar 24 '17 18:03 ronnievsmith