Support for CORS (or JSONP?)

[cportele]

Servers should support a mechanism to overcome cross-domain restrictions.

To be consistent with HTTP, it probably should be CORS. Is that only a separate requirement or does it need to be reflected in the OpenAPI definition? The discussion here suggests that it should not be reflected explicitly in the OpenAPI definition.

Is the convenience of JSONP important enough to support it, too, even with its drawbacks?

[sebastianovide]

what's the main reason for supporting JSONP ?

[jvanulde]

@sebastianovide I would say that it's more for implementations where implementers don't have admin privileges on the host. Otherwise, I don't see an obvious reason.

[cportele]

JSONP or CORS are needed, if you want to access data from a web page and the data is on another host than the webpage. For example, a web-application accessing data from multiple distributed sources. The "same-origin policy" would prevent this.

See, for example, https://en.wikipedia.org/wiki/JSONP.

[cportele]

Discussed during the meeting on 2017-11-28: Simply create awareness for the issue and mention CORS/JSONP as potential approaches. Then wait for implementer feedback whether more is needed.

[cholmes]

Agreed, I think a short best practices paper explaining the issue and how to configure your web server would go a long way. CORS configuration is often outside of the actual WFS server - like in GeoServer with Java you can't set the configuration within the code, you have to update a setting in your tomcat or jetty server.