Any way to limit access to CouchDB view when JSONP is enabled?

Question

I enabled JSONP on my iriscouch CouchDB so I could make ajax requests to my views. This means that anybody can make ajax request to my CouchDB views.

Is there any way to prevent this?

If not, then is there a way to limit access to the views (with JSONP turned off) so that only my application can view it (using a proxy)?

Answer 1

Cross-domain functionality is still difficult. I do not think JSONP allows authenticated requests, therefore your choice with JSONP is between totally public data and totally private data.

(Incidentally, if you are concerned about privacy, note that your enemies or script kiddies or whoever can simply read the page source and query your views with curl.)

The correct solution to cross-domain security is Cross-Object Resource Sharing (CORS). There is a CouchDB CORS patch. Incidentally, Iris Couch (where I work) does unofficially support this patch and will activate it if you contact them.

If you use a proxy, the benefit is that you have huge flexibility and control about security. (The downside, obviously, is that now you must maintain a new server, and you must also be vigilant that somebody poked a hole in your security policy that you'd not realized.)