restlet-framework-java icon indicating copy to clipboard operation
restlet-framework-java copied to clipboard

Published 20 hours ago verified publisher icon restlet

Support CORS (Cross-Origin Resource Sharing)

Open thboileau opened this issue 12 years ago • 14 comments

Initial ticket : http://restlet.tigris.org/issues/show_bug.cgi?id=994

thboileau avatar Mar 07 '12 16:03 thboileau

We should support the CORS approach now that it is widely implemented: http://www.w3.org/TR/cors/

New headers:

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Credentials
  • Access-Control-Expose-Headers
  • Access-Control-Max-Age
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers
  • Origin
  • Access-Control-Request-Method
  • Access-Control-Request-Headers

jlouvel avatar Jul 12 '12 13:07 jlouvel

FYI, I'm implementing this now for a framework I'm working on; I may be able to contribute something once I've got it working.

adennie avatar Dec 11 '13 14:12 adennie

Sounds good Andy. That would be a great enhancement to Restlet API

jlouvel avatar Dec 11 '13 16:12 jlouvel

I'm trying to figure out the "Restlet way" to implement this... would a CorsService with a CorsFilter be a good approach?

-Andy

Jerome Louvel wrote:

Sounds good Andy. That would be a great enhancement to Restlet API

— Reply to this email directly or view it on GitHub https://github.com/restlet/restlet-framework-java/issues/216#issuecomment-30335115.

adennie avatar Dec 11 '13 16:12 adennie

What I had in mind was something along the lines of the org.restlet.data.ChallengeRequest and ChallengeResponse classes: http://restlet.org/learn/javadocs/snapshot/jee/api/index.html?org/restlet/data/ChallengeRequest.html

This org.restlet.data.AccessControlRequest and AccessControlResponse classse would be used via a Request#accessControlRequest and accessControlResponse properties and automatically populated if present in the lower-level HTTP messsage.

jlouvel avatar Dec 11 '13 17:12 jlouvel

Ah, you're talking about exposing the CORS-related request and response headers, I think. That's useful also, but I was thinking about providing an implementation of the CORS-related functionality (e.g. allow configuration of allowed origins, allowed headers, exposed headers, etc. in a CorsService and then use that config info in a CorsFilter to insert appropriate headers into the response for pre-flight and normal CORS requests).

adennie avatar Dec 11 '13 17:12 adennie

That's definitely complementary. I'm not sure how the CorsService could work, but it could definitely let you configure and insert an inbound CorsFilter. Interested in details

You might want to consider outbound support in this filter for client-side calls in the future, like AJAX does by default in modern browser.

jlouvel avatar Dec 11 '13 19:12 jlouvel

Here's a sneak peek, still a bit rough, but you can get the idea:

https://github.com/adennie/vroom/blob/master/vroom-core/src/main/java/com/fizzbuzz/vroom/core/api/service/CorsService.java

https://github.com/adennie/vroom/blob/master/vroom-core/src/main/java/com/fizzbuzz/vroom/core/api/filter/CorsFilter.java

Any general feedback on how its structured would be appreciated.

adennie avatar Dec 12 '13 20:12 adennie

Andy, I looked at the code and find the implementation compelling, especially the handlePreflightRequest method.

Once you get this stable, it would be great to refactor the CORS header manipulation logic into AccessControlRequest and AccessControlResponse classes to complete this feature.

To see how the headers reading/writing logic is handled, check this class: https://github.com/restlet/restlet-framework-java/blob/master/modules/org.restlet/src/org/restlet/engine/header/HeaderUtils.java

jlouvel avatar Dec 13 '13 01:12 jlouvel

Thanks for taking a look, and for the pointer to the header reading/writing logic.

By the way, I'm not sure I grasp the value of implementing the client side of the CORS protocol for outbound Restlet requests. Is Restlet enforcing a Same Origin Policy for outbound requests?

-Andy

Jerome Louvel wrote:

Andy, I looked at the code and find the implementation compelling, especially the handlePreflightRequest method.

Once you get this stable, it would be great to refactor the CORS header manipulation logic into AccessControlRequest and AccessControlResponse classes to complete this feature.

To see how the headers reading/writing logic is handled, check this class: https://github.com/restlet/restlet-framework-java/blob/master/modules/org.restlet/src/org/restlet/engine/header/HeaderUtils.java

— Reply to this email directly or view it on GitHub https://github.com/restlet/restlet-framework-java/issues/216#issuecomment-30480350.

adennie avatar Dec 14 '13 13:12 adennie

I agree client-side support could be done as a second step, it isn't necessary for your use case.

Having it could help building more secure browser-like clients / server-side mashups.

jlouvel avatar Dec 14 '13 13:12 jlouvel

I would like to know if this planned to be implemented / added on restlet at any time.

gpulido avatar Mar 17 '14 09:03 gpulido

This is scheduled for version 2.3, see draft roadmap: https://github.com/restlet/restlet-framework-java/wiki/Road-map-of-version-2.3-(draft)

Any contribution to make it happen earlier are welcome :)

jlouvel avatar Mar 17 '14 14:03 jlouvel

Let's check the complete list of CORs headers

thboileau avatar Jun 08 '21 11:06 thboileau