Apache Allura™

The latest Allura code now supports CORS http headers. It will be included in the next release of Allura, or is available now by using the latest code from git.

CORS headers allow JavaScript running on other sites to access the Allura APIs. By default, browser's Same Origin Policy would prevent that. CORS is still secure, because Allura's authenticate is in place. APIs that require authorization still require it. OAuth or OAuth tokens can be used, cookies cannot be used - so nobody could be tricked into doing something accidentally.

To enable this and allow more sites to integrate with Allura, see the cors.* settings in your development.ini file.