Why CORS?
Browsers all maintain a same-origin policy. One reason this is necessary is that XMLHttpRequest passes the user's authentication tokens. Suppose he is logged in to theBank.com with basic auth and then visits untrusted.com. If there were no restrictions, untrusted.com could issue its own XMLHttpRequest to theBank.com with full authorisation and gain access to that user's private data.But a blanket ban on cross-origin requests also prohibits legitimate use. For this reason, most modern browsers support Cross-origin resource sharing (CORS). . This is a protocol which allows the browser to negotiate with the back-end server to discover whether or not such requests from 'foreign' domains are allowed by the server, and to make the actual requests.
When browsers issue requests, they always include the Origin header. The essence of the protocol is that the server will respond with an Access-Control-Allow-Origin header if that Origin is acceptable to it. Browsers will then allow the access to go ahead. For example, here we have an XMLHttpRequest emanating from a script named midijs and hosted on a server running on localhost:9000:
Accept:*/* Accept-Encoding:gzip,deflate,sdch Accept-Language:en-GB,en-US;q=0.8,en;q=0.6 Cache-Control:no-cache Connection:keep-alive Host:192.168.1.64:8080 Origin:http://localhost:9000 Pragma:no-cache Referer:http://localhost:9000/midijs User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/28.0.1500.71 Chrome/28.0.1500.71 Safari/537.36And here is a response from a back-end server that accepts the Origin:
Access-Control-Allow-Credentials:true Access-Control-Allow-Origin:http://localhost:9000 Content-Length:2222 Content-Type:audio/midi; charset=UTF-8 Date:Sun, 29 Sep 2013 09:13:03 GMT Server:spray-can/1.1-20130927This is all that is necessary for GET requests. Security issues are greater for requests that are not used for pure retrieval and/or where user credentials are supplied. Here, CORS provides additional headers and a 'preflight request' mechanism which asks permission from the server before it makes the actual request. For more details see http://www.html5rocks.com/en/tutorials/cors/
CORS Support in Spray
The M8 release versions of Spray have no CORS support. Initial support for the CORS headers has now been integrated into the forthcoming release of Spray. These can be accessed if you develop your own CORS directive which makes use of respondWith directives in order to set the appropriate headers. For example, here's an approach based on that of Cristi Boarlu that works very well:import spray.http._
import spray.routing._
import spray.http.HttpHeaders._
trait CORSDirectives { this: HttpService =>
private def respondWithCORSHeaders(origin: String) =
respondWithHeaders(
HttpHeaders.`Access-Control-Allow-Origin`(SomeOrigins(List(origin))),
HttpHeaders.`Access-Control-Allow-Credentials`(true)
)
private def respondWithCORSHeadersAllOrigins =
respondWithHeaders(
HttpHeaders.`Access-Control-Allow-Origin`(AllOrigins),
HttpHeaders.`Access-Control-Allow-Credentials`(true)
)
def corsFilter(origins: List[String])(route: Route) =
if (origins.contains("*"))
respondWithCORSHeadersAllOrigins(route)
else
optionalHeaderValueByName("Origin") {
case None =>
route
case Some(clientOrigin) => {
if (origins.contains(clientOrigin))
respondWithCORSHeaders(clientOrigin)(route)
else {
// Maybe, a Rejection will fit better
complete(StatusCodes.Forbidden, "Invalid origin")
}
}
}
}
And this is how it can be used in my case to protect a route which generates a response for a path that requests a particular file type (e.g. midi):
path(Segment / "tune" / Segment / Segment ) { (genre, tuneEncoded, fileType) =>
get {
val contentTypeOpt = getContentTypeFromFileType(fileType:String)
if (contentTypeOpt.isDefined) {
respondWithMediaType(contentTypeOpt.get.mediaType) {
corsFilter(MusicRestSettings.corsOrigin) {
val tune = java.net.URLDecoder.decode(tuneEncoded, "UTF-8")
val futureBin = Tune(genre, tune).asFutureBinary(contentTypeOpt.get)
_.complete(futureBin)
}
}
}
else {
failWith(new Exception("Unrecognized file extension " + fileType))
}
}
} ~
There is also a discussion started by Tim Perrett which hopes to be able to wrap routes within a cors directive which will just 'do the right thing' with preflight requests and appropriate access control headers as unobtrusively as possible. If you want to try this out yourself, you can try one of the release candidates that were published on October 23rd.
Embedded YouTube Videos and Chrome
I have just discovered a related problem to do with rendering embedded YouTube videos in Chrome. I want to extend my trad tunes web site with a comments page attached to each tune. The foot of the page will contain a form allowing the user to add a comment to the page, and this is particularly useful if she finds a video where the tune is being played. YouTube allows you to embed the video into the page which it manages by means of an iframe. Unfortunately, when she posts the tune, Chrome won't display it until the page is refreshed (although all other major browsers will). Instead it reports:The XSS Auditor refused to execute a script in 'http://localhost:9000/genre/agenre/tune/atune/comments' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.What's happening is that the browser must run javascript code to render the iframe, and it again thinks that it emanates from the server that provided the page which is thus making a cross-origin request. In this case, the solution is to add a request header instructing the browser to suspend the XSS Auditor check when it process the page. This is achieved with the X-XSS-Protection header. For example, the Play Framework Action that processes a valid comment might respond like this:
val comment = commentForm.bindFromRequest.get
commentsModel.add(comment)
Ok(views.html.comments(commentsModel.getAll, commentForm, genre, tune)(userName)).withHeaders("X-XSS-Protection"->"0")
When Chrome sees this header, it immediately renders the video. Note, this technique doesn't work if you issue a redirect instead of responding directly.
