Getting CORS to work with civetweb
840 views
Skip to first unread message
mapel
Feb 5, 2014, 11:56:45 AM2/5/14
to cive...@googlegroups.com
Hey guys,
I am trying to get CORS working with civetweb and tried to follow this post: https://groups.google.com/forum/#!topic/mongoose-users/VUyVz_knpVM
I guess I have to edit the lines 3362-3366, 4385-4389 and 4404-4410 to include the "Access-Control-Allow-Origin"-response.
I do not know exactly how I have to edit them, so maybe someone can tell me.
Thank you very much and kind regards
mapel
bel
Feb 5, 2014, 2:45:06 PM2/5/14
to cive...@googlegroups.com
I did never use Cross-Origin Resource-Sharing, but from what I read here
https://developer.mozilla.org/en/docs/HTTP/Access_control_CORS
I don't think that it is that easy. In particular, if look at the "Preflighted Requests" chapter.
So adding a line like
We should not add just half of the protocol to the official repository.
If you want to try if adding this single line is sufficient for your particular use case, try the following:
a) Your line numbers do not fit the current code. In civetweb.c, find the function handle_file_request, and add the green line
(void) mg_printf(conn,
"HTTP/1.1 %d %s\r\n"
"
"Date: %s\r\n"
"Last-Modified: %s\r\n"
"Etag: %s\r\n"
"Content-Type: %.*s\r\n"
"Content-Length: %" INT64_FMT "\r\n"
"Connection: %s\r\n"
"Accept-Ranges: bytes\r\n"
"%s%s\r\n",
conn->status_code, msg, date, lm, etag, (int) mime_vec.len,
mime_vec.ptr, cl, suggest_connection_header(conn), range, encoding);
This single change should be enough for all static files sent by the server (images, javascripts, stylesheets, videos, ..). Forget about directory requests and other changes for the moment.
You need to recompile the code and test it - I did not try it myself.
b) Alternatively it should be possible to sent this header line by using a Lua script to serve the resources. You do not need to change a single line of C code for this, so the pre-buildt binaries at sourceforge should work as well (or probably not, if this requires the next version .. I have to check that .. the current source on github already has all required features, so it should be at least in the next release).
You would have to create a lua resource script (e.g., by modifying resource_script_demo.lua) to sent the page with any header you like.
I think it would be possible to implement the full CORS protocol through a Lua resource script, not just the "half story"
https://developer.mozilla.org/en/docs/HTTP/Access_control_CORS
I don't think that it is that easy. In particular, if look at the "Preflighted Requests" chapter.
So adding a line like
Access-Control-Allow-Origin: *We should not add just half of the protocol to the official repository.
If you want to try if adding this single line is sufficient for your particular use case, try the following:
a) Your line numbers do not fit the current code. In civetweb.c, find the function handle_file_request, and add the green line
(void) mg_printf(conn,
"HTTP/1.1 %d %s\r\n"
"
Access-Control-Allow-Origin: *""Date: %s\r\n"
"Last-Modified: %s\r\n"
"Etag: %s\r\n"
"Content-Type: %.*s\r\n"
"Content-Length: %" INT64_FMT "\r\n"
"Connection: %s\r\n"
"Accept-Ranges: bytes\r\n"
"%s%s\r\n",
conn->status_code, msg, date, lm, etag, (int) mime_vec.len,
mime_vec.ptr, cl, suggest_connection_header(conn), range, encoding);
This single change should be enough for all static files sent by the server (images, javascripts, stylesheets, videos, ..). Forget about directory requests and other changes for the moment.
You need to recompile the code and test it - I did not try it myself.
b) Alternatively it should be possible to sent this header line by using a Lua script to serve the resources. You do not need to change a single line of C code for this, so the pre-buildt binaries at sourceforge should work as well (or probably not, if this requires the next version .. I have to check that .. the current source on github already has all required features, so it should be at least in the next release).
You would have to create a lua resource script (e.g., by modifying resource_script_demo.lua) to sent the page with any header you like.
I think it would be possible to implement the full CORS protocol through a Lua resource script, not just the "half story"
Access-Control-Allow-Origin: * header.mapel
Feb 6, 2014, 2:26:54 AM2/6/14
to cive...@googlegroups.com
It works with the first sugestion.
Thank you.
Joe Mucchiello
Feb 12, 2014, 1:16:00 AM2/12/14
to cive...@googlegroups.com
Obviously, if you are going to add that to the release version of civetweb, that "*" should be a configuration value. Or, perhaps just a "default headers" config entry. Or yet another callback.
bel
Feb 12, 2014, 3:16:51 PM2/12/14
to cive...@googlegroups.com
On Wednesday, February 12, 2014 7:16:00 AM UTC+1, Joe Mucchiello wrote:
Obviously, if you are going to add that to the release version of civetweb, that "*" should be a configuration value. Or, perhaps just a "default headers" config entry. Or yet another callback.
For the moment, I would not add this to the release version, neither with a "*" nor with a configured value. Everyone who needs this patch, please apply it on your own - at least for the moment.
As I wrote above, this line in only half the story of a full CORS implementation. Before adding a half implementation to the release version, I would like to check what it takes to make a full implementation.
Maybe a half implementation with a configured value would already fulfills 99% of all relevant CORS use cases - I cannot estimate this at the moment.
bel
Feb 17, 2014, 2:40:20 PM2/17/14
to cive...@googlegroups.com
A full implementation of CORS in civetweb seems feasible.
For static files, which only allow the GET method, adding the
Access-Control-Allow-Origin header with a configurable value is sufficient.Dynamic resources, represented by cgi or Lua scripts do already full CORS, including preflights.
A first version is available in my GIT repository.
Reply all
Reply to author
Forward
0 new messages