1181530 – [RFE] Add CORS support to the RESTAPI

Bug 1181530 - [RFE] Add CORS support to the RESTAPI

Summary: [RFE] Add CORS support to the RESTAPI

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	RestAPI
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-3.6.0-rc
Target Release:	3.6.0
Assignee:	Juan Hernández
QA Contact:	Jiri Belka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-01-13 10:49 UTC by Juan Hernández
Modified:	2016-03-11 07:19 UTC (History)
CC List:	9 users (show)
Fixed In Version:	ovirt-engine-3.6.0-0.0.master.20150412172306.git55ba764
Clone Of:
Environment:
Last Closed:	2016-03-11 07:19:59 UTC
oVirt Team:	Infra
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-3.6.0+ ylavi: planning_ack+ rule-engine: devel_ack+ pstehlik: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1186751	unspecified	CLOSED	New package request: ebay-cors-filter	2021-02-22 00:41:40 UTC
oVirt gerrit	36367	master	MERGED	restapi: Add CORS filter	Never
oVirt gerrit	37367	None	None	None	Never
oVirt gerrit	37370	None	NEW	packaging: Use CORS filter provided by its own package	Never

Internal Links: 1186751

Description Juan Hernández 2015-01-13 10:49:53 UTC

Currently the RESTAPI doesn't respond to CORS (Cross Origin Request Sharing, see [1]) request sent by browsers. It should do so, and allow requests from a restricted and configurable set of origins.

[1] http://www.w3.org/TR/cors/

Comment 1 Sandro Bonazzola 2015-01-28 13:40:39 UTC

https://fedorahosted.org/ovirt/ticket/287 and requested it in Fedora on bug #1186751

Comment 2 Jiri Belka 2016-03-01 15:19:18 UTC

ok rhevm-backend-3.6.3.4-0.1.el6.noarch

1. all origins enabled OK

CORSSupport: true version: general
CORSAllowedOrigins: * version: general

2. specific url as origin OK

CORSSupport: true version: general
CORSAllowedOrigins: http://jb-rhevm36.example.com:8765 version: general

3. default (false + same origin having https) OK

CORSSupport: false version: general
CORSAllowedOrigins:  version: general

4. default (false + origin not having https) FALSE

this should fail, thus OK

Note You need to log in before you can comment on or make changes to this bug.