Server Setting to enable CORS

[gramian]

Dear Developers,

I would like to propose to add a server setting enabling Cross Origin Resource Sharing (CORS).

While publicly exposing a database server in entirety is generally a bad idea, just forwarding the query endpoint for a read-only user could be acceptable. Also during development and testing of a wrapping application or driver, such a setting could be useful.

As ArcadeDB uses Undertow, enabling CORS is dicussed here: https://stackoverflow.com/questions/42066845/how-to-enable-access-control-allow-origin-in-undertow

Best

[lvca]

I like this. If this can be solved by just adding this piece of code:

httpServerExchange.getResponseHeaders()
                .put(new HttpString("Access-Control-Allow-Origin"), "*");

Then it's super easy, we could have a setting to enable/disable that. WDYT?

[gramian]

Of course, it turns out, this is more complicated: Since the server requires credentials, the CORS standard forbids to return * as origin. More formally: If Access-Control-Allow-Credentials is used (which is, due to the authorization), then Access-Control-Allow-Origin has to contain the specific origin (domain), see: https://portswigger.net/web-security/cors#server-generated-acao-header-from-client-specified-origin-header .

[gramian]

Particularly, this means a so-called CORS Preflight Request via an OPTIONS method has to succeed, which is currently not supported.

[tolgaulas]

As this is a security matter and users may like to define their own constraints, I suggest making the value * only if the user did not define their own value. Tolga Ulas

…

On Tue, May 2, 2023 at 12:22 PM Luca Garulli ***@***.***> wrote: I like this. If this can be solved by just adding this piece of code: httpServerExchange.getResponseHeaders() .put(new HttpString("Access-Control-Allow-Origin"), "*"); Then it's super easy, we could have a setting to enable/disable that. WDYT? — Reply to this email directly, view it on GitHub <#1057 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAK5MQUWI57IJY4UR3O7NPLXEDG6PANCNFSM6AAAAAAXPGIVSY> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.*** com>

[lvca]

Should it be enabled by default with *? Or disabled by default for security? We could define a new setting arcadedb.server.cors, where:

• if not defined (NULL), then it's disabled
• otherwise, the value goes in the Access-Control-Allow-Origin. Typically "*", but the users can put whatever they want

[gramian]

IMHO This should be deactivated by default.

[tolgaulas]

I concur.

[lvca]

I've pushed a new branch http_cors with the work in progress to provide full CORS:

5cb1ef1

@gramian was mentioning an OPTIONS call is still missing. What else should we provide? Feel free to fork and contribute to this branch.