Orion 1.0.0 does not handle CORS access control headers sufficiently

[captainrobbo]

We're trying to directly talk to Orion from Javascript in browsers. This opens the door to many exciting uses, but it is inherently "cross domain" as far as the browser is concerned.

Unfortunately when a browser such as Chrome tries to do a PUT against Orion, it first does an OPTIONS request to find the allowed verbs (preflighting). Orion 1.0.0 responds with a list of verbs that does not include PUT. Therefore, when running over HTTP, one has to completely replace the entity every time using a POST.

In addition, when running Orion over HTTPS, connection is not possible. Orion would need to offer
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS

Currently we need to have a thin proxy in front of Orion to handle rewriting of headers.

It would be very convenient if Orion had options to allow the above.

[fgalan]

CORS support for verbs different to GET is in our roadmap. Please, have a look to #501

[captainrobbo]

Thanks very much!

In the meantime we have a simple WSGI server sitting in front, which does
the job.

• Andy

On 3 May 2016 at 06:58, Fermín Galán Márquez [email protected]
wrote:

CORS support for verbs different to GET is in our roadmap. Please, have a
look to #501 #501

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#2108 (comment)

[fgalan]

I'd suggest to close this issue as duplicated of #501

[captainrobbo]

Duplicate of #501