From my quick reading of the spec it seems like we will need to add:
* a whitelist (in the db or server.cfg) of trusted domains which are allowed to make cross-domain requests
* code for handling OPTIONS requests (Flask may already provide this?)
* code for setting Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers based on the whitelisted domains
We may also want to set Access-Control-Allow-Origin: * for GET requests, to allow "simple" CORS requests for fetching anonymous data. However the admin can also just set this in their Apache config if desired.
http://flask-cors.readthedocs.org/en/latest/ may be of some help.
This has been taken care and we could go ahead and close this bugzilla. I am not sure if you kept it open purposely.
We already enabled Access-Control-Allow-Origin: * a while back, for "simple" CORS requests which are read-only. This RFE is about adding application-level support for CORS requests with POST and other requests beyond the "simple" CORS restrictions.
If you don't need anything beyond "simple" CORS requests that's good to know, we will drop the priority of this.
thank you for opening issue in Beaker project.
This issue was marked with component "web ui".
As we are not planning to address any further issues in current UI, due to technical stack and not being able to work with Python 3 codebase, I'm closing this issue as WONTFIX.
New UI will be reimplemented within new versions of Beaker.
If you have any questions feel free to reach out to me.