allow CORS in import API

[javisantana]

It would be nice to have CORS in the import API but we need to be really careful with the implementation in order to not open security holes.

If we just allow CORS adding http OPTIONS + headers a third party could import files if the user has the session open.

My proposal here is allow CORS only if a valid api_key is provided (and in the future with oauth), like

curl -X OPTIONS -H "Cookie: valid session" http://user.cartodb.com/api/v1/import

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 27 Feb 2015 16:31:18 GMT
Transfer-Encoding: chunked
Connection: keep-alive

curl -X OPTIONS "http://user.cartodb.com/api/v1/import?api_key=validapikey"

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 27 Feb 2015 16:31:18 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With, X-Prototype-Version, X-CSRF-Token

thoughts? @juanignaciosl @Kartones @rafatower @rochoa

[juanignaciosl]

Totally. It must have the same rules than SQL API, for example.

[Kartones]

Fine, after the vizjson changes this changes can be attacked easier (or at least detect better possible problems), and I like the idea

[rafatower]

Fine by me, but what's the use case you're thinking about?

[javisantana]

being able to import a table from a third party application using only javascript cc @sanderpick

[rochoa]

Do we want to make this available to anybody? Or do we want to enable it for specific third party applications (like in a whitelist)?

[sanderpick]

would be fine for the "map-in-cartodb-button" app to have a whitelist - but may be nice to just have it open so others can build stuff with it too if it's not a security concern.

[nateirwin]

Glad you all are thinking about this. I ran into this today while working on a client-side dataset upload tool.

[alasarr]

+1

[xavijam]

There has been no activity on this issue for more several months. We are closing it. If you think this still needs to be addressed please open a new issue.

[javisantana]

please, keep this open

[noguerol]

Should we close this?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[rafatower]

This PR CartoDB/CartoDB-SQL-API#261 added some CORS support (see the middleware and usage). Not sure whether this covers the original intent of the ticket cc/ @dgaubert

[rochoa]

This was about the Import API. That looks related to SQL API batch queries, doesn't it?

[dgaubert]

Summoning @javitonino for prioritization

[rafatower]

This was about the Import API. That looks related to SQL API batch queries, doesn't it?

true, my bad

[alrocar]

We have a new way to import data via the COPY API + instead of just enabling CORS for the Import API, to use it in web applications we should think on proper OAuth support.

It's sad but 4 and half years later it's time to close this issue.