CORS violation when using REST API about midas HOT 15 OPEN

@dblezek Thanks for the detailed report.

@cpatrick @jamiesnape Would it help to update the latest version of Midas ?

from midas.

No and streaming is not an option in general. Do we need to support using a browser to make API calls? What is the use case?

from midas.

@jamiesnape Working on a browser based viewer for Slicer MRB files. One of the use cases would be to have a list of available MRB files from MIDAS, and click load. This works fine if you download the MRB and then drag it onto the page, but CORS does not let the data be fetched from MIDAS. Perhaps you could include CORS headers to be enabled for all downloads?

Not sure why you couldn't send the file directly from http://slicer.kitware.com/midas3/rest/bitstream/download/{id} without the redirect. The REST API lead me to believe it was possible...

from midas.

@dblezek Let me investigate and I will get back to you with a solution.

from midas.

Not sure why you couldn't send the file directly from http://slicer.kitware.com/midas3/rest/bitstream/download/{id} without the redirect.

We probably could, however the redirect isn't the issue here since it's just redirecting to the same origin (http://slicer.kitware.com). It's the XHR from your origin to slicer.kitware.com that is causing the CORS. In any case, we should expose instance-level settings for CORS headers to allow from cross origin XHR like in this case. @jamiesnape you may be able to borrow some logic in that regard from the way girder does this: girder/girder#580

from midas.

Sorry, meant this PR girder/girder#549

from midas.

@zachmullen, the redirect is the problem. The /rest/bitstream/download/{id} returns with a nice Access-Control-Allow-Origin: "*" header. If the data came over that request, XHR would be happy. The redirect URL does not have the CORS header, so XHR does not allow it. That is, if I understand how csrf-prevention works.

The last request does not have the Access-Control-Allow-Origin: header, and that is what trips up XHR:

REST Call:

non-REST Call:

from midas.

Interesting, thanks for the info -- I was unaware that part of MIDAS was sending permissive CORS headers and part was not. Definitely strange behavior that should be fixed. :)

from midas.

So it turns out that in /library/REST/Controller/Plugin/RestHandler.php, we have:

    public function dispatchLoopStartup(Zend_Controller_Request_Abstract $request)
    {
            // ...

            // Cross-Origin Resource Sharing (CORS)
            // TODO: probably should be an environment setting?
            $this->_response->setHeader('Access-Control-Max-Age', '86400');
            $this->_response->setHeader('Access-Control-Allow-Origin', '*');
            $this->_response->setHeader('Access-Control-Allow-Credentials', 'true');
            $this->_response->setHeader('Access-Control-Allow-Headers', 'Authorization, X-Authorization, Origin, Accept, Content-Type, X-Requested-With, X-HTTP-Method-Override');

            // ...
    }

from midas.

Looking deeper, there are a lot of issues with the code in the REST_ namespace.

from midas.

Thanks for looking into it. Much appreciated.

from midas.

Yes, thanks!

from midas.

I will try to get a fix in for the version 3.4 release.

from midas.

@jamiesnape or @zachmullen Any progress? Would love to integrate Midas into my project.

thanks

from midas.

@dblezek No progress, I am afraid. There will be some refactoring related to the REST_ namespace in 3.4.1, but I do not have an ETA yet.

from midas.