Bug 1202583

Summary: support CORS "pre-flighted requests" and requests with credentials
Product: [Retired] Beaker Reporter: Dan Callaghan <dcallagh>
Component: web UIAssignee: beaker-dev-list
Status: CLOSED WONTFIX QA Contact: tools-bugs <tools-bugs>
Severity: high Docs Contact:
Priority: medium    
Version: 19CC: mastyk, npatil, ssarkar
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-02 11:49:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Callaghan 2015-03-16 23:40:24 UTC
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

From my quick reading of the spec it seems like we will need to add:
* a whitelist (in the db or server.cfg) of trusted domains which are allowed to make cross-domain requests
* code for handling OPTIONS requests (Flask may already provide this?)
* code for setting Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers based on the whitelisted domains

We may also want to set Access-Control-Allow-Origin: * for GET requests, to allow "simple" CORS requests for fetching anonymous data. However the admin can also just set this in their Apache config if desired.

Comment 1 Dan Callaghan 2015-03-16 23:41:00 UTC
http://flask-cors.readthedocs.org/en/latest/ may be of some help.

Comment 4 Nilesh Patil 2015-04-29 07:16:14 UTC
Hey Dan, 
 
This has been taken care and we could go ahead and close this bugzilla. I am not sure if you kept it open purposely.

Comment 5 Dan Callaghan 2015-04-29 07:19:44 UTC
We already enabled Access-Control-Allow-Origin: * a while back, for "simple" CORS requests which are read-only. This RFE is about adding application-level support for CORS requests with POST and other requests beyond the "simple" CORS restrictions.

If you don't need anything beyond "simple" CORS requests that's good to know, we will drop the priority of this.

Comment 6 Martin Styk 2020-06-02 11:49:27 UTC
Hello,

thank you for opening issue in Beaker project.
This issue was marked with component "web ui".
As we are not planning to address any further issues in current UI, due to technical stack and not being able to work with Python 3 codebase, I'm closing this issue as WONTFIX.
New UI will be reimplemented within new versions of Beaker.

If you have any questions feel free to reach out to me.

Best regards,
Martin <martin.styk>