[SERVER-9327] Core Simple Rest Interface to support Cross-origin resource sharing Created: 11/Apr/13  Updated: 07/Jul/17  Resolved: 07/Jul/17

Status: Closed
Project: Core Server
Component/s: HTTP Console
Affects Version/s: 2.4.1
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Marcin Waligora Assignee: DO NOT USE - Backlog - Platform Team
Resolution: Done Votes: 1
Labels: platforms-re-triaged, pull-request, rest
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File pr73_rebase_f4766f8.diff    
Issue Links:
Depends
depends on SERVER-2030 Better REST api query Closed
Backwards Compatibility: Fully Compatible
Participants:

 Description   

There are some instances where data in mongoDB is publicly open.
It would be extremely efficient if you could query mongoDB (only read-only operations) using built-in Simple Rest Interface
http://docs.mongodb.org/ecosystem/tools/http-interfaces/#simple-rest-interface
from web applications.
To do that the server must simply return
Access-Control-Allow-Origin: *
as additional header. It already returns custom headers so this new one should not be a problem.

The main reason why this is so useful is we have mongo databases distributed globally yet our web servers are located in one region.
When users access the web application from other regions JavaScript code could simply query the in-region mongoDB instance.

Obviously if we go with Sleepy Mongoose or any other outside of core system interfaces we have to send our requests back to the web servers.



 Comments   
Comment by Sven Ludwig [ 31/Jan/15 ]

From a security perspective, such settings should be configurable and with secure defaults.

However, projects usually have the option to use the reverse proxy infrastructure pattern and proxy MongoDB (with nginx, Apache and other things).

A proxy layer can be responsible for adding or substracting web security as needed, and also do all kinds of other things a reverse proxy can do for you (TLS termination, routing etc.).

Comment by Marcin Waligora [ 06/Jun/13 ]

Making this issue depend on something as vague as Better REST api query guarentees it will not be created.
Can you pelase change this so that it's a standalong enhancement?

Generated at Thu Feb 08 03:20:04 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.