Cross-Origin Resource Sharing (CORS) is a W3C spec that allows cross-domain communication from the browser. From an API/Server perspective this relies on some headers send in the HTTP Request/Response + the support of OPTIONS request (the preflight request in the spec) so that the browser can transparently check whether CORS is supported or not.

At the moment, the REST API v2 does not support the OPTIONS requests. In addition the required headers in API responses can be added with a (quite tricky) Apache configuration but IMHO, this should be handled by the REST bundle.

Requirements

• semantical configuration for allowed cross domains, including * (all)
• return the request's origin: Access-Control-Allow-Origin: http://origin.example.com (or *)
• OPTIONS must return the list of allowed methods. For now, it can be identical to the "normal" OPTIONS response, Allow, but using the Access-Control-Allow-Methods header
• every CORS request must A) check if the origin is acceptable based on configuration, and refuse to reply if it isn't B) include the appropriate Access-Control headers
• ... to be continued

References

• http://www.w3.org/TR/cors/
• http://www.html5rocks.com/en/tutorials/cors/
• https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS