diff options
Diffstat (limited to 'archives/extend/2013-February/000058.html')
-rw-r--r-- | archives/extend/2013-February/000058.html | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/archives/extend/2013-February/000058.html b/archives/extend/2013-February/000058.html new file mode 100644 index 00000000..2f44c8c7 --- /dev/null +++ b/archives/extend/2013-February/000058.html @@ -0,0 +1,137 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML> + <HEAD> + <TITLE> [99s-extend] Cowboy REST Logic + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Cowboy%20REST%20Logic&In-Reply-To=%3CCD411D79.2699%25christopher.phillips%40turner.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <style type="text/css"> + pre { + white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */ + } + </style> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000057.html"> + <LINK REL="Next" HREF="000059.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[99s-extend] Cowboy REST Logic</H1> + <B>Phillips, Christopher</B> + <A HREF="mailto:extend%40lists.ninenines.eu?Subject=Re%3A%20%5B99s-extend%5D%20Cowboy%20REST%20Logic&In-Reply-To=%3CCD411D79.2699%25christopher.phillips%40turner.com%3E" + TITLE="[99s-extend] Cowboy REST Logic">Christopher.Phillips at turner.com + </A><BR> + <I>Wed Feb 13 17:01:27 CET 2013</I> + <P><UL> + <LI>Previous message: <A HREF="000057.html">[99s-extend] Cowboy REST Logic +</A></li> + <LI>Next message: <A HREF="000059.html">[99s-extend] [ANN] Bullet 0.4.0 +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#58">[ date ]</a> + <a href="thread.html#58">[ thread ]</a> + <a href="subject.html#58">[ subject ]</a> + <a href="author.html#58">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE> Will do. I actually like the 303 due to a bug in Firefox with examining +headers, but 201 seems like the canonical approach. + + CORS is actually pretty easy to open up fully, and the more restrictive +you want to be the harder it gets. We're not using credentials, and we +haven't tightened the domain to just those we expect, either, but it +basically amounts to adding the following to options/2 for the pre-flight - + + * Access-Control-Allow-Origin (with the origins we want to allow; * for +anything), + * Access-Control-Allow-Headers (which we're setting to the same as the +client requests for convenience's sake) + *Access-Control-Expose-Headers (for any headers beyond content-type that +the client wants access to; we have Location for the 201 mentioned above. + + +And the following to any request being passed back, as seems reasonable - + + * Access-Control-Allow-Origin as in options + * Access-Control-Expose-Headers as in options + + + I'm appending them in resource_exists/2 because I know that will be hit +by everything. If your logic is more complex (you want to allow PUTs from +site1, but deletes from site2, etc), you'll need to break that apart a bit +and conditionally check origin. We're relying on a firewall to protect +against direct calls from external servers, and we'll be tightening the +allowed domains and looking into validating the session with a token to +prevent CSRFs (as CORS means any existing CSRF vuln becomes a bit more +severe). + + +I suspect there's some redundancy there; we have a future story for +tightening things up, but in terms of just opening it up and getting +things working, that¹s all that I had to do. + + +On 2/13/13 10:34 AM, "Loïc Hoguin" <<A HREF="https://lists.ninenines.eu/listinfo/extend">essen at ninenines.eu</A>> wrote: + +><i>On 02/13/2013 02:52 PM, Phillips, Christopher wrote: +</I>>><i> +</I>>><i> In 6.1, and still in 8.0, there is some logic that surprised me, and +</I>>><i> I wanted to see if it was intentional, or if I'm missing something. +</I>>><i> +</I>>><i> If I set up a POST such that it's a create, I get back a 303, rather +</I>>><i> than a 201, on successful create. This came as a bit of a surprise; I +</I>>><i> know from Webmachine, if it's a new resource being created, a POST will +</I>>><i> return a 201 (N11 to P11 in Webmachine's v3 diagram). +</I>>><i> +</I>>><i> Is this intentional? The logic seems to be post_is_create/2 -> +</I>>><i> create_path/2 -> put_resource/3 -> choose_content_type/5 -> next/3 -> +</I>>><i> respond(_, _, 303). It may be that this is a better response, rather +</I>>><i> than a 201 with the location header, but it came as a surprise given web +</I>>><i> machine's behavior. +</I>><i> +</I>><i>This difference is probably not intentional. Please open a ticket. :) +</I>><i> +</I>>><i> For background, I'm attempting to migrate some web machine code to +</I>>><i> Cowboy, which is serving a RESTful API to a Javascript client. The +</I>>><i> client is making CORS calls. Receiving a 303 and a Location header +</I>>><i> seemed to mean that the call was redirected before the client side code +</I>>><i> ever saw it (not sure what the browser was doing; I was expecting +</I>>><i> another request, but I wasn't quite lucid enough to check for that last +</I>>><i> night when working on it); a 201 allows me to examine the location. +</I>><i> +</I>><i>Would be interested to know more about your CORS implementation, that's +</I>><i>something I would like to have in the guide. +</I>><i> +</I>><i>-- +</I>><i>Loïc Hoguin +</I>><i>Erlang Cowboy +</I>><i>Nine Nines +</I>><i><A HREF="http://ninenines.eu">http://ninenines.eu</A> +</I>><i> +</I> + + +</PRE> + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000057.html">[99s-extend] Cowboy REST Logic +</A></li> + <LI>Next message: <A HREF="000059.html">[99s-extend] [ANN] Bullet 0.4.0 +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#58">[ date ]</a> + <a href="thread.html#58">[ thread ]</a> + <a href="subject.html#58">[ subject ]</a> + <a href="author.html#58">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://lists.ninenines.eu/listinfo/extend">More information about the Extend +mailing list</a><br> +</body></html> |