Jerome Louvel

We should support the CORS approach now that it is widely implemented: http://www.w3.org/TR/cors/ New headers: - Access-Control-Allow-Origin - Access-Control-Allow-Credentials - Access-Control-Expose-Headers - Access-Control-Max-Age - Access-Control-Allow-Methods - Access-Control-Allow-Headers - Origin -...

Sounds good Andy. That would be a great enhancement to Restlet API

What I had in mind was something along the lines of the org.restlet.data.ChallengeRequest and ChallengeResponse classes: http://restlet.org/learn/javadocs/snapshot/jee/api/index.html?org/restlet/data/ChallengeRequest.html This org.restlet.data.AccessControlRequest and AccessControlResponse classse would be used via a Request#accessControlRequest and accessControlResponse...

That's definitely complementary. I'm not sure how the CorsService could work, but it could definitely let you configure and insert an inbound CorsFilter. Interested in details You might want to...

Andy, I looked at the code and find the implementation compelling, especially the handlePreflightRequest method. Once you get this stable, it would be great to refactor the CORS header manipulation...

I agree client-side support could be done as a second step, it isn't necessary for your use case. Having it could help building more secure browser-like clients / server-side mashups.

This is scheduled for version 2.3, see draft roadmap: https://github.com/restlet/restlet-framework-java/wiki/Road-map-of-version-2.3-(draft) Any contribution to make it happen earlier are welcome :)

There is an ongoing effort to add a Netty connector which has some WebSocket capabilities that will make it easier to map to the Restlet API

Hi Tal, could you suggest a PR for this issue?

This is now a requirement (2.2 M1). Keeping it to make sure we leverage more Java 6 APIs