Hi there,
I'm doing some work on an authentication module that'll implement the HTTP access control protocol, also known as Cross-Origin Resource Sharing. This allows browser to access your endpoints using XMLHttpRequest (AJAX).
However in it's current state the RESTServer ignores requests made with the OPTIONS method, which is required to preflight cross domain requests wanting to do anything other then GET or simple POST requests.
I'm writing here because I'm uncertain of how I should implement this. Authentication modules are invoked after the server has figured out what controller to call, and since RESTServer can't map OPTIONS-requests to a controller it fails. And OPTIONS is not really RESTy so perhaps it should not be handled at all by the server. And furthermore, it should not be limited to the REST-server either, it should work with any server implementation.
Being able to preflight requests would be huge though, since well, the Internet is not moving away from web apps and JavaScript at the moment ;)
So, is this something that we should somehow implement into Services or should I let my module implement hook_init()/hook_boot() and let preflighting happen there?
I don't know if there are any pros to making it a part of Services. I don't know how many clients actually make use of OPTIONS. Wikipedia says:
Returns the HTTP methods that the server supports for specified URL. This can be used to check the functionality of a web server by requesting '*' instead of a specific resource.
Basically I just wanted your opinion before doing anything. I would be willing to implement some kind of support into Services. In it's most basic form I guess it would just read the requested endpoint and see what kind of HTTP methods it supports and return those. And also implement a hook that lets other modules modify/add headers to the response?
Cheers!
More about the workings of the cross origin policy: https://developer.mozilla.org/En/HTTP_access_control
| Comment | File | Size | Author |
|---|---|---|---|
| #5 | 1060882-cors-preflight.patch | 824 bytes | raspberryman |
Comments
Comment #1
voxpelli commentedI think that the REST Server should make it possible to support any kind of HTTP method - not only the OPTIONS but perhaps also the HEAD method and perhaps methods like the ones used by WebDAV?
Supporting a wide range of HTTP methods seems very REST:ful to me.
Patches welcome ;)
Comment #2
marcingy commentedMoving to current version and setting as postponed for consideration in 7.4
Comment #3
mrfelton commentedSubscribing.
Comment #4
hbfkf commentedSubscribing.
Comment #5
raspberryman commentedTemporary patch for those suffering from CORS headaches with Services. Note: This patch assumes you've set up CORS with your .htaccess or other server config file.
Comment #6
kylebrowning commentedWont fix in 3.x but ive added it as a list of things to do for 4.x
Comment #7
bendev commentedthanks for #5. It helped to solved the OPTIONS issue (404 pages)