tags:

views:

119

answers:

1
Q: 

JavaScript and CouchDB - How do I avoid cross-origin policy errors on GET/POST/PUT/DELETE requests

I am posting this question on Super User as well. In my opinion this question overlaps the two...


I am creating a simple JavaScript wrapper for CouchDB's REST-ful interface, but I am stuck on same-origin policy issues.

So far I've been developing my code to work locally - and only as a proof of concept - on Mozilla FireFox. My server is running on localhost, port 5984.

To disable cross-origin policy in Mozilla FireFox you can use the PrivilegeManager, but it only gets me half-way in the sense that I can't do PUT requests against my server...

/*
 * Including this in my JavaScript file only seems to disable cross-origin
 * policy checks for POST and GET requests in Mozilla FireFox.
 * PUT requests fail.
 */

netscape.security.PrivilegeManager.enablePrivilege(
    "UniversalBrowserRead UniversalBrowserWrite"
);



Is there any way that I can configure my server to hide it's location so I won't have to implement browser-specific work-arounds to avoid same-origin policy issues? If not: what browser work-arounds exist to disable same-origin policy completely?

+3  A: 

Unfortunately, any browser workarounds to disable same-origin policies are likely to be treated as serious security bugs and fixed as soon as possible.

See if you can come up with a way to work within the same-origin policy without trying to bypass it.

Can you serve your example scripts on the target server? Could you build a reflection script that would load the target script on your server after a local script on the users computer uploaded whatever they modified?

There should be a good solution that doesn't involve bypassing the same-origin policy. Trying to hack your way around it is a good way to ensure that your code doesn't work properly in future browsers.

Paul McMillan  2010-09-07 19:13:46
So serving my JavaScript files from the CouchDB server would solve my cross-origin issues?
roosteronacid  2010-09-07 19:44:21
That would be one option. Since CouchDB isn't usually set up for direct user interaction, it's not a standard setup. Depending on how your servers are configured, you might alias a URL to your database server.
Paul McMillan  2010-09-07 23:36:39
So if I we're to serve my scripts from my CouchDB server instance, would I experience SOP-issues when using those scripts in a file run from the file system?
roosteronacid  2010-09-08 11:40:57
... That is to say: If reference my JavaScript wrapper from the CouchDB instance (`http://localhost:5984/_utils/wapper.js`) in a file located on the filesystem. Would I get any SOP errors when calling functions from wrapper.js that executes GET/POST/PUT etc. requests to the CouchDB server?
roosteronacid  2010-09-08 11:48:06
Unfortunately, local file system SOP gets weird. Some browsers are more strict, some are less. If you're accessing a file using `http://localhost/` syntax, you're stuck with the web-model. If you're accessing the file with a `file://` style syntax, you will get different permissions.
Paul McMillan  2010-09-10 20:58:11

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript