[DAS] CORS

Thomas Down thomas.a.down at gmail.com
Wed Aug 4 15:26:25 UTC 2010


Despite being a strong CORS advocate (and not just for DAS -- it'll be
beneficial for a whole raft of services), I'm actually a bit reluctant to
make it mandatory without some rather careful though.

Unrestricted CORS is, as far as I can tell, always appropriate for public
DAS servers offering data to the community.  It's probably also good for
password-protected-by-publically-routable servers (although the
implementation gets a wee bit more complex in that case).

However, if you're running a DAS server behind a firewall, CORS does
potentially open you to possible security issues which wouldn't otherwise be
present.  In the most security-conscious environments, people might want to
just whitelist the origins of specific clients.

How about including a link to the CORS spec and saying "implementation is
strongly encouraged", or something like that?

                  thomas.

On Wed, Aug 4, 2010 at 3:58 PM, Andy Jenkinson <andy.jenkinson at ebi.ac.uk>wrote:

> Since this seems to have been given the thumbs up, shall we make CORS
> support mandatory from 1.6 onwards?
>
> I suggested this when it first came up last year, but I got no replies so
> didn't put it in the spec. I suspect because it was in the middle of a
> flurry of emails about "maxbins" :)
>
> On 3 Aug 2010, at 22:28, Thomas Down wrote:
>
> > Jonathan's written a nice summary here:
> >
> >              http://biodasman.wordpress.com/2010/07/20/cors/
> >
> > But briefly...  it's the "official" way to work around the same-origin
> > policy (by default, browsers only allow unsigned javascript to trigger
> HTTP
> > requests to the server from which it was originally downloaded).  The
> > specification is here:
> >
> >                http://www.w3.org/TR/cors/
> >
> > (Please don't be too alarmed by the datestamp!  The core parts have been
> > stable for > a year now, and it's well supported by Mozilla, WebKit, and
> --
> > via a slightly different API -- Internet Explorer).
> >
> > If you're running a public server and want it to be CORS accessible, all
> > that is needed is to emit the header:
> >
> >          Access-Control-Allow-Origin: *
> >
> > ...and you're done.
> >
> > (If you're running password-protected DAS servers, or DAS servers hosting
> > sensitive information behind a firewall, you might want a slightly more
> > sophisticated CORS implementation.  Happy to discuss if anyone is
> > interested).
> >
> >                    Thomas.
> >
> > On Tue, Aug 3, 2010 at 10:21 PM, Lincoln Stein <lincoln.stein at gmail.com
> >wrote:
> >
> >> Someone give me a quick summary of CORS support. I want to make sure
> that
> >> GBrowse exports DAS 1.53 with CORS (is it just the registry metadata, or
> >> something new?)
> >>
> >> Lincoln
> >>
> >> On Tue, Aug 3, 2010 at 4:52 PM, Jonathan Warren <jw12 at sanger.ac.uk>
> wrote:
> >>
> >>> This is very cool - I had a look the other day. Was wondering why some
> >>> sources could be attached and some can't....
> >>> Best browser experience yet by far I'd say.
> >>>
> >>> No problems about adding CORS support - for the record I'm very happy
> to
> >>> implement new capabilities testing and other suggestions to the
> registry
> >>> from anyone who cares to drop me a line. Especially if it's going to
> enhance
> >>> and promote the use of the registry :)
> >>>
> >>>
> >>>
> >>> On 3 Aug 2010, at 20:41, Thomas Down wrote:
> >>>
> >>> As some of you already know, I've been experimenting recently with a
> >>>> web-based DAS client for genomic data.  It's still in
> >>>> a unashamedly prototypical state (in particular, some of the popups
> and
> >>>> configuration stuff is outright clunky, and we know it!), but we're
> >>>> starting
> >>>> to find it quite useful, and would be interested to receive more
> >>>> feedback.
> >>>> So if you're curious, you can try it here:
> >>>>
> >>>>             http://www.biodalliance.org/human/ncbi36/
> >>>>
> >>>> It's a fully-fledged DAS/1.53 client (with a few bits of DAS/1.6, and
> >>>> hopefully rather more coming soon), but has one major caveat: since
> it's
> >>>> pure Javascript code running in your web browser, there are
> limitations
> >>>> to
> >>>> which servers it can connect to.  Specifically, it will only work with
> >>>> DAS
> >>>> servers that implement the W3C cross-origin resource sharing model
> (which
> >>>> has been discussed on this list before, but drop me a line if you've
> got
> >>>> any
> >>>> questions).  What does this mean in practice?  If you're adding
> >>>> datasources
> >>>> from the registry, things are simple because Dalliance will only allow
> >>>> you
> >>>> to add CORS-enabled sources (a huge thanks to Jonathan Warren for
> adding
> >>>> some support for this in the registry).  If you run your own DAS
> servers
> >>>> and
> >>>> don't list them in the registry, you'll need to check for CORS
> >>>> compatibility
> >>>> yourself.  The latest versions of Proserver and Dazzle should both be
> >>>> okay.
> >>>>
> >>>> All comments, suggestions, and bug reports are welcome!
> >>>>
> >>>>                 Thomas Down.
> >>>> _______________________________________________
> >>>> DAS mailing list
> >>>> DAS at lists.open-bio.org
> >>>> http://lists.open-bio.org/mailman/listinfo/das
> >>>>
> >>>
> >>> Jonathan Warren
> >>> Senior Developer and DAS coordinator
> >>> blog: http://biodasman.wordpress.com/
> >>> jw12 at sanger.ac.uk
> >>> Ext: 2314
> >>> Telephone: 01223 492314
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> The Wellcome Trust Sanger Institute is operated by Genome
> ResearchLimited,
> >>> a charity registered in England with number 1021457 and acompany
> registered
> >>> in England with number 2742969, whose registeredoffice is 215 Euston
> Road,
> >>> London, NW1 2BE._______________________________________________
> >>>
> >>> DAS mailing list
> >>> DAS at lists.open-bio.org
> >>> http://lists.open-bio.org/mailman/listinfo/das
> >>>
> >>
> >>
> >>
> >> --
> >> Lincoln D. Stein
> >> Director, Informatics and Biocomputing Platform
> >> Ontario Institute for Cancer Research
> >> 101 College St., Suite 800
> >> Toronto, ON, Canada M5G0A3
> >> 416 673-8514
> >> Assistant: Renata Musa <Renata.Musa at oicr.on.ca>
> >>
> > _______________________________________________
> > DAS mailing list
> > DAS at lists.open-bio.org
> > http://lists.open-bio.org/mailman/listinfo/das
>
>



More information about the DAS mailing list