lightblue-rest requires cert with CORS preflight request; this breaks Firefox + data management app

[alechenninger]

lightblue-rest bug tracked here: lightblue-platform/lightblue-rest#187

---

Old description:

This is not really a bug in the app but it is affecting users. If Firefox can't do this for some legitimate reason, we should reconsider alternate strategies for implementing the lightblue communication.

For instance, originally, we tossed around the idea of having a backend be able to "impersonate" users or be able to give lightblue a request and a user and have it tell is if that user would be allowed to make that request, and if not, why.

Perhaps an even better fix would be (as mentioned in above issues) if we could use OAuth to authenticate apps to talk to lightblue via CORS instead (much more common way to CORS in the wild).

But first and foremost let's understand what the deal with Firefox is before we talk about any of that stuff.

[alechenninger]

90% sure it's this: https://bugzilla.mozilla.org/show_bug.cgi?id=1019603

[alechenninger]

It looks like this is due to a mishandling of OPTIONS request in lightblue-rest.

Per spec at http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#preflight-request the preflight request never includes cookies. Specifically, the spec says:

Exclude user credentials.

and that links to http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#user-credentials which says:

The term user credentials for the purposes of this specification means cookies, HTTP authentication, and client-side SSL certificates.

Source: http://stackoverflow.com/a/10135361