Cross-domain requests #15

kw4n opened this Issue Mar 28, 2011 · 4 comments

3 participants


How can I POST data to datastore cross-domain? I have my webapp running on and Pintura is running on I can authenticate and get pintura-session cookie but I can't get POST to work. I have tried to put Client-Id with pintura-session string but no luck, I'm still getting 405 error.

persvr member

The cookie alone is not enough to authorize cross-domain request since it would enable cross-site request forgery security exploits. One alternate approach is to include the authentication with each request to with /Path/?http-authorization=user:pass. If you need to use cookies, you will need to arrange for the session id to be accessible to the client code, so they can do requests with the session explicitly included in the query string /Path/?pintura-session=session-id


So basically what this means is that it will be really hard to do a public JSONP API with Pintura if you can't accept authentication tokens cross-domain? Could I implement OAuth somehow on top of Pintura without actually writing the whole thing from scratch? :) That would solve the problem and offer a secure way to do cross-domain and still use the whole facet security paradigm.

The suggestion of putting login credentials to URL is highly insecure if you think about people using public wifis etc. to access the app. This is why Twitter changed their API auth model a while back.


By the way, it works with ?http-authorization but I really don't want to send user:pass over every request :/


Perhaps adding Access-Control-Allow-Credentials would be an option...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment