Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Any way to limit access to CouchDB view when JSONP is enabled?

Tags:

jsonp

couchdb

I enabled JSONP on my iriscouch CouchDB so I could make ajax requests to my views. This means that anybody can make ajax request to my CouchDB views.

Is there any way to prevent this?

If not, then is there a way to limit access to the views (with JSONP turned off) so that only my application can view it (using a proxy)?

like image 473
edt Avatar asked Jul 14 '11 05:07

edt


1 Answers

Cross-domain functionality is still difficult. I do not think JSONP allows authenticated requests, therefore your choice with JSONP is between totally public data and totally private data.

(Incidentally, if you are concerned about privacy, note that your enemies or script kiddies or whoever can simply read the page source and query your views with curl.)

The correct solution to cross-domain security is Cross-Object Resource Sharing (CORS). There is a CouchDB CORS patch. Incidentally, Iris Couch (where I work) does unofficially support this patch and will activate it if you contact them.

If you use a proxy, the benefit is that you have huge flexibility and control about security. (The downside, obviously, is that now you must maintain a new server, and you must also be vigilant that somebody poked a hole in your security policy that you'd not realized.)

like image 70
JasonSmith Avatar answered Sep 27 '22 21:09

JasonSmith