[DAS] CORS

Thomas Down thomas.a.down at gmail.com
Wed Aug 4 17:39:08 UTC 2010 

That sounds good to me,

              Thomas.

On Wed, Aug 4, 2010 at 5:17 PM, Andy Jenkinson <andy.jenkinson at ebi.ac.uk>wrote:

> Well we could specify that software must implement the procedure, and not
> actually require servers to accept requests from all origins?
>
> On 4 Aug 2010, at 16:26, Thomas Down wrote:
>
> > Despite being a strong CORS advocate (and not just for DAS -- it'll be
> beneficial for a whole raft of services), I'm actually a bit reluctant to
> make it mandatory without some rather careful though.
> >
> > Unrestricted CORS is, as far as I can tell, always appropriate for public
> DAS servers offering data to the community.  It's probably also good for
> password-protected-by-publically-routable servers (although the
> implementation gets a wee bit more complex in that case).
> >
> > However, if you're running a DAS server behind a firewall, CORS does
> potentially open you to possible security issues which wouldn't otherwise be
> present.  In the most security-conscious environments, people might want to
> just whitelist the origins of specific clients.
> >
> > How about including a link to the CORS spec and saying "implementation is
> strongly encouraged", or something like that?
> >
> >                   thomas.
> >
> > On Wed, Aug 4, 2010 at 3:58 PM, Andy Jenkinson <andy.jenkinson at ebi.ac.uk>
> wrote:
> > Since this seems to have been given the thumbs up, shall we make CORS
> support mandatory from 1.6 onwards?
> >
> > I suggested this when it first came up last year, but I got no replies so
> didn't put it in the spec. I suspect because it was in the middle of a
> flurry of emails about "maxbins" :)
> >
> > On 3 Aug 2010, at 22:28, Thomas Down wrote:
> >
> > > Jonathan's written a nice summary here:
> > >
> > >              http://biodasman.wordpress.com/2010/07/20/cors/
> > >
> > > But briefly...  it's the "official" way to work around the same-origin
> > > policy (by default, browsers only allow unsigned javascript to trigger
> HTTP
> > > requests to the server from which it was originally downloaded).  The
> > > specification is here:
> > >
> > >                http://www.w3.org/TR/cors/
> > >
> > > (Please don't be too alarmed by the datestamp!  The core parts have
> been
> > > stable for > a year now, and it's well supported by Mozilla, WebKit,
> and --
> > > via a slightly different API -- Internet Explorer).
> > >
> > > If you're running a public server and want it to be CORS accessible,
> all
> > > that is needed is to emit the header:
> > >
> > >          Access-Control-Allow-Origin: *
> > >
> > > ...and you're done.
> > >
> > > (If you're running password-protected DAS servers, or DAS servers
> hosting
> > > sensitive information behind a firewall, you might want a slightly more
> > > sophisticated CORS implementation.  Happy to discuss if anyone is
> > > interested).
> > >
> > >                    Thomas.
> > >
> > > On Tue, Aug 3, 2010 at 10:21 PM, Lincoln Stein <
> lincoln.stein at gmail.com>wrote:
> > >
> > >> Someone give me a quick summary of CORS support. I want to make sure
> that
> > >> GBrowse exports DAS 1.53 with CORS (is it just the registry metadata,
> or
> > >> something new?)
> > >>
> > >> Lincoln
> > >>
> > >> On Tue, Aug 3, 2010 at 4:52 PM, Jonathan Warren <jw12 at sanger.ac.uk>
> wrote:
> > >>
> > >>> This is very cool - I had a look the other day. Was wondering why
> some
> > >>> sources could be attached and some can't....
> > >>> Best browser experience yet by far I'd say.
> > >>>
> > >>> No problems about adding CORS support - for the record I'm very happy
> to
> > >>> implement new capabilities testing and other suggestions to the
> registry
> > >>> from anyone who cares to drop me a line. Especially if it's going to
> enhance
> > >>> and promote the use of the registry :)
> > >>>
> > >>>
> > >>>
> > >>> On 3 Aug 2010, at 20:41, Thomas Down wrote:
> > >>>
> > >>> As some of you already know, I've been experimenting recently with a
> > >>>> web-based DAS client for genomic data.  It's still in
> > >>>> a unashamedly prototypical state (in particular, some of the popups
> and
> > >>>> configuration stuff is outright clunky, and we know it!), but we're
> > >>>> starting
> > >>>> to find it quite useful, and would be interested to receive more
> > >>>> feedback.
> > >>>> So if you're curious, you can try it here:
> > >>>>
> > >>>>             http://www.biodalliance.org/human/ncbi36/
> > >>>>
> > >>>> It's a fully-fledged DAS/1.53 client (with a few bits of DAS/1.6,
> and
> > >>>> hopefully rather more coming soon), but has one major caveat: since
> it's
> > >>>> pure Javascript code running in your web browser, there are
> limitations
> > >>>> to
> > >>>> which servers it can connect to.  Specifically, it will only work
> with
> > >>>> DAS
> > >>>> servers that implement the W3C cross-origin resource sharing model
> (which
> > >>>> has been discussed on this list before, but drop me a line if you've
> got
> > >>>> any
> > >>>> questions).  What does this mean in practice?  If you're adding
> > >>>> datasources
> > >>>> from the registry, things are simple because Dalliance will only
> allow
> > >>>> you
> > >>>> to add CORS-enabled sources (a huge thanks to Jonathan Warren for
> adding
> > >>>> some support for this in the registry).  If you run your own DAS
> servers
> > >>>> and
> > >>>> don't list them in the registry, you'll need to check for CORS
> > >>>> compatibility
> > >>>> yourself.  The latest versions of Proserver and Dazzle should both
> be
> > >>>> okay.
> > >>>>
> > >>>> All comments, suggestions, and bug reports are welcome!
> > >>>>
> > >>>>                 Thomas Down.
> > >>>> _______________________________________________
> > >>>> DAS mailing list
> > >>>> DAS at lists.open-bio.org
> > >>>> http://lists.open-bio.org/mailman/listinfo/das
> > >>>>
> > >>>
> > >>> Jonathan Warren
> > >>> Senior Developer and DAS coordinator
> > >>> blog: http://biodasman.wordpress.com/
> > >>> jw12 at sanger.ac.uk
> > >>> Ext: 2314
> > >>> Telephone: 01223 492314
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> The Wellcome Trust Sanger Institute is operated by Genome
> ResearchLimited,
> > >>> a charity registered in England with number 1021457 and acompany
> registered
> > >>> in England with number 2742969, whose registeredoffice is 215 Euston
> Road,
> > >>> London, NW1 2BE._______________________________________________
> > >>>
> > >>> DAS mailing list
> > >>> DAS at lists.open-bio.org
> > >>> http://lists.open-bio.org/mailman/listinfo/das
> > >>>
> > >>
> > >>
> > >>
> > >> --
> > >> Lincoln D. Stein
> > >> Director, Informatics and Biocomputing Platform
> > >> Ontario Institute for Cancer Research
> > >> 101 College St., Suite 800
> > >> Toronto, ON, Canada M5G0A3
> > >> 416 673-8514
> > >> Assistant: Renata Musa <Renata.Musa at oicr.on.ca>
> > >>
> > > _______________________________________________
> > > DAS mailing list
> > > DAS at lists.open-bio.org
> > > http://lists.open-bio.org/mailman/listinfo/das
> >
> >
>
>

More information about the DAS mailing list