[Open.ogc] CORS Support for services.ogc.noaa.gov

Tim Haverland - NOAA Federal tim.haverland at noaa.gov
Tue Jun 18 21:33:30 UTC 2013 

OK, I was able to publish my page to our test server, and there's no port
appended to the origin:


   1. Accept:
   */*
   2. Accept-Encoding:
   gzip,deflate,sdch
   3. Accept-Language:
   en-US,en;q=0.8
   4. Access-Control-Request-Headers:
   origin, x-requested-with
   5. Access-Control-Request-Method:
   GET
   6. Cache-Control:
   no-cache
   7. Connection:
   keep-alive
   8. Host:
   services.ogc.noaa.gov
   9. Origin:
   http://www.st-test.nmfs.noaa.gov
   10. Pragma:
   no-cache
   11. Referer:
   http://www.st-test.nmfs.noaa.gov/appstech/map-test
   12. User-Agent:
   Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
   Gecko) Chrome/27.0.1453.110 Safari/537.36


Still get the error:

Origin http://www.st-test.nmfs.noaa.gov is not allowed by
Access-Control-Allow-Origin

WOC, can you allow the header x-requested-with to see if that fixes the
problem?

Tim


On Tue, Jun 18, 2013 at 4:26 PM, Micah Wengren <micah.wengren at noaa.gov>wrote:

>  Tim,
>
> I found this:
> http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request
>
> It sounds like jQuery or some part of the CMS is trying to ask whether the
> server will accept a header 'x-requested-with'.  I'm sure that's not
> required for OpenLayers, but it's being inserted anyway by some part of
> your site code.  I don't know if that would cause the disallowed origin
> error message you're seeing if the non-standard header isn't supported or
> not, but if it is, there must be some way to disable that within the
> application, or this might get kinda complicated to get working.
>
> Either way, are you sure that the port on your server isn't the issue?
> From doing a little reading, it seems that since you're using a
> non-standard port, the 'Origin' header your site will be submitting should
> look like this:
>
> Origin: http://triggerfish2.nmfs.noaa.gov:9992
>
> It's possible that that might not match the rules in our '
> Access-Control-Allow-Origin' setting, if it's only a plain string
> comparison or something that Apache does.
>
> Micah
>
>
>
> On 6/18/2013 2:41 PM, Tim Haverland - NOAA Federal wrote:
>
> I don't know the inner workings of our content management system, so not
> sure what's sending the x-requested-with header; however, I read that this
> is pretty common with Ajax requests, especially from jQuery.
>
>
> On Tue, Jun 18, 2013 at 2:22 PM, Micah Wengren <micah.wengren at noaa.gov>wrote:
>
>>  Hi open.ogc at list.woc.noaa.gov,
>>
>> I'm sending this thread I've been on with Tim back to the email list to
>> see if we can expedite troubleshooting what the issue is with a CORS
>> request from Tim's development server to services.ogc.noaa.gov. He's
>> connecting from:
>>
>> http://triggerfish2.nmfs.noaa.gov:9992
>>
>> and trying to display one of our services on an OpenLayers map (and do a
>> GetFeatureInfo request, which leads to the need  for CORS support).
>>
>>
>> I don't really have the answer to his question, anyone at the WOC know
>> about accepting non-standard headers?
>>
>> Tim, do you know why this header is required from your side, and what the
>> server should be doing with it?
>>
>> Thanks,
>> Micah
>>
>> On 6/18/2013 2:05 PM, Tim Haverland - NOAA Federal wrote:
>>
>> Yeah, doesn't look like the port is an issue, however, my request is sent
>> with these headers:
>>
>>
>>    1. Access-Control-Request-Headers:
>>    origin, x-requested-with
>>
>>
>>  I've read that the server may need to accept "non-standard" headers. x-requested-with is
>> a non-standard header. Is this accepted on the server side?
>>
>>  Tim
>>
>>
>> On Tue, Jun 18, 2013 at 1:35 PM, Tim Haverland - NOAA Federal <
>> tim.haverland at noaa.gov> wrote:
>>
>>> yes, response header says:
>>>
>>>    1. Access-Control-Allow-Origin:
>>>    *.noaa.gov
>>>
>>>
>>>
>>> On Tue, Jun 18, 2013 at 1:32 PM, Micah Wengren - NOAA Federal <
>>> micah.wengren at noaa.gov> wrote:
>>>
>>>> Hi Tim,
>>>>
>>>> I don't know what bearing ports have on CORS.  Everything from noaa.govshould be allowed though.  If you examine http headers with firebug or
>>>> something you should be able to see the rule Chi added in the header list.
>>>>  I believe he would have added it for both http and https, but I'd have to
>>>> check. Not at my machine right now. It's more important for http in this
>>>> case...
>>>>
>>>> Micah
>>>>
>>>>
>>>>
>>>> On Tuesday, June 18, 2013, Tim Haverland - NOAA Federal <
>>>> tim.haverland at noaa.gov> wrote:
>>>> > Micah, is CORS supported on the production version of geoserver? I'm
>>>> trying to implement my map in our content management system, and get the
>>>> following error:
>>>> > Origin http://triggerfish2.nmfs.noaa.gov:9992 is not allowed by
>>>> Access-Control-Allow-Origin.
>>>> >
>>>> > Maybe it's the port that's throwing things off?
>>>> > Tim
>>>> >
>>>> > On Thu, Jun 13, 2013 at 1:27 PM, Micah Wengren - NOAA Federal <
>>>> micah.wengren at noaa.gov> wrote:
>>>> >>
>>>> >> Hi Tim,
>>>> >>
>>>> >> We have *.noaa.gov enabled anyway for CORS support now.  If you can
>>>> copy your openlayers page to your dev server and test it out and let me
>>>> know if it works, that would be great. Whenever you get a chance, no rush.
>>>> >>
>>>>
>>>
>>
>
>
>  --
> *Tim Haverland*
> Acting Operations Branch Chief
> NOAA Fisheries Office of Science and Technology
> 1315 East-West Highway
> SSMC3 Rm 12303
> Silver Spring, MD 20910
> 301-427-8137
>
>
>


-- 
*Tim Haverland*
Acting Operations Branch Chief
NOAA Fisheries Office of Science and Technology
1315 East-West Highway
SSMC3 Rm 12303
Silver Spring, MD 20910
301-427-8137
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.woc.noaa.gov/pipermail/open.ogc/attachments/20130618/2031a785/attachment.html>

More information about the Open.ogc mailing list