Add Cross-Origin Resource Sharing (CORS) support.

[almet]

This still misses documentation, but I want to have a review on the code first.

@rfk r?

[rfk]

IIRC the docs say that the error location field should be "header", not "headers". Not sure if this is enforced or assumed anywhere though.

[almet]

right, we should add a way to check this in the API.

[almet]

see #99

[rfk]

Cool, I like there this is going and it will be awesome to have easy CORS support baked in. It looks like some parts of the spec are unimplemented:

• the Access-Control-Max-Age header
• the Access-Control-Allow-Credentials header (although there is a setting for it)
• the Access-Control-Expose-Headers header
• handling of "simple cross-origin requests" without pre-flighting

Are they all things that can safely be left till a later date and/or left to the caller to fill in as part of the view?

[almet]

Access-Control-Max-Age and Access-Control-Allow-Credentials will be implemented, yep.

As you said, I still need to implement simple cross-origin requests, and Access-Control-Expose-Headers as part of that.

more work, I'll ping you here when I have something with these missing steps.

[almet]

I've updated the branch with the whole specification implemented, it still misses the documentation part but I'm waiting feedback on the implementation etc. before.

@rfk do you want to review this again?

[almet]

updated again; I've successfully used it for web services on Chrome and Firefox. It doesn't mean it will work everywhere, but it seems to be okay.

Also, I added the support for cors_policy which can be useful some times.

[rfk]

As a larger architectural thought, I wonder if we should pass the service object into each validator by default. IOW, make the signature of a validator function "validate(service, request)" or similar. How common is it to make a validator that closes over the service object like this?

[rfk]

This looks great @ametaireau, very clean and easy to follow. r+