CouchApps No Longer Work

October 20, 2021 | Glynn Bird | CouchApp Static

Cloudant mainly stores JSON documents in collections called databases, but Cloudant also has the ability to store attachments in Cloudant documents. An attachment is a binary blob of data with a file name and mime type. It could be a PDF, a JPG or a Word document.

Some users employed attachments to store HTML, CSS, JavaScript files and other assets in the database so that it could be used as a webserver - applications following this pattern were known as CouchApps. CouchApps deployed the website and the database in the same web domain, allowing client-side JavaScript to make calls back to the server to add, update and delete documents without having to worry about cross-origin security restrictions.


Photo by Jose Fontano on Unsplash

Cloudant no longer permits CouchApp scripts 🔗

As of October 2021, CouchApps using JavaScript will become inoperable on Cloudant. Fetched attachments will be served out with an additional header: Content-Security-Policy: sandbox. This header instructs the browser to prevent script execution on such attachments, so any JavaScript (whether in .js files or in <script> tags) will be barred from execution on the client machine.

Only Javascript-free CouchApps will continue to operate.

The reason for this change is to close a security loophole which could lead to privilege escalation and malicious data access.

Regular attachments will continue to work 🔗

Regular document attachments will continue to work as normal, the only difference being the addition of the Content-Security-Policy header on attachment retrieval which should not affect normal operation.

Alternatives to CouchApps 🔗

Static websites have become very popular in recent years and there many better places for hosting static content than in a database:

Any of the above solutions will mean that the website and database server will reside on different domain names and by default, a web page may only access resources on the domain it was served out from. This will mean that web requests originating from web page’s JavaScript, targeting a Cloudant service would not be permitted (by the web browser).

Cloudant can be configured to permit cross-domain requests by enabling CORS in the Cloudant Dashboard: you may choose to allow requests from any domain, or to a list of specified domains.

The combination of a static hosting service and Cloudant with CORS enabled, should allow CouchApp-like functionality to be reproduced.