Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I enabled JSONP on my iriscouch CouchDB so I could make ajax requests to my views.
This means that anybody can make ajax request to my CouchDB views.
Is there any way to prevent this?
If not, then is there a way to limit access to the views (with JSONP turned off) so that only my application can view it (using a proxy)?
Cross-domain functionality is still difficult. I do not think JSONP allows authenticated requests, therefore your choice with JSONP is between totally public data and totally private data.
(Incidentally, if you are concerned about privacy, note that your enemies or script kiddies or whoever can simply read the page source and query your views with
curl.)The correct solution to cross-domain security is Cross-Object Resource Sharing (CORS). There is a CouchDB CORS patch. Incidentally, Iris Couch (where I work) does unofficially support this patch and will activate it if you contact them.
If you use a proxy, the benefit is that you have huge flexibility and control about security. (The downside, obviously, is that now you must maintain a new server, and you must also be vigilant that somebody poked a hole in your security policy that you’d not realized.)