[Open.ogc] CORS Support for services.ogc.noaa.gov

Tim Haverland - NOAA Federal tim.haverland at noaa.gov
Wed Jun 19 15:03:16 UTC 2013 

Unfortunately that error message is not helpful - from what I understand it
can be raised by many different causes not limited to origin issues.


On Wed, Jun 19, 2013 at 10:51 AM, Micah Wengren <micah.wengren at noaa.gov>wrote:

>  Hi all,
>
> WOC/Chi, I think if you can for testing purposes, this would require
> adding the following config line (per
> http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request
> ):
>
> Access-Control-Allow-Headers: x-requested-with
>
> If you don't mind adding that, we can do a quick troubleshooting to see if
> that fixes the issue.  I'm not really sure what the purpose of the
> non-standard header is or why it should be required, and in the end you
> might end up having to remove that Tim, but it would be good to know if
> that's what's causing the request to fail anyway.
>
> The error message Origin http://www.st-test.nmfs.noaa.gov is not allowed
> by Access-Control-Allow-Origin seems to suggest it is still due to an
> origin restriction though.
>
> Thanks,
> Micah
>
>
> On 6/18/2013 5:33 PM, Tim Haverland - NOAA Federal wrote:
>
> OK, I was able to publish my page to our test server, and there's no port
> appended to the origin:
>
>
>    1. Accept:
>    */*
>     2. Accept-Encoding:
>    gzip,deflate,sdch
>     3. Accept-Language:
>    en-US,en;q=0.8
>     4. Access-Control-Request-Headers:
>    origin, x-requested-with
>     5. Access-Control-Request-Method:
>    GET
>     6. Cache-Control:
>    no-cache
>     7. Connection:
>    keep-alive
>     8. Host:
>    services.ogc.noaa.gov
>     9. Origin:
>    http://www.st-test.nmfs.noaa.gov
>     10. Pragma:
>    no-cache
>     11. Referer:
>    http://www.st-test.nmfs.noaa.gov/appstech/map-test
>     12. User-Agent:
>    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
>    Gecko) Chrome/27.0.1453.110 Safari/537.36
>
>
>  Still get the error:
>
>  Origin http://www.st-test.nmfs.noaa.gov is not allowed by
> Access-Control-Allow-Origin
>
>  WOC, can you allow the header x-requested-with to see if that fixes the
> problem?
>
>  Tim
>
>
> On Tue, Jun 18, 2013 at 4:26 PM, Micah Wengren <micah.wengren at noaa.gov>wrote:
>
>>  Tim,
>>
>> I found this:
>> http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request
>>
>> It sounds like jQuery or some part of the CMS is trying to ask whether
>> the server will accept a header 'x-requested-with'.  I'm sure that's not
>> required for OpenLayers, but it's being inserted anyway by some part of
>> your site code.  I don't know if that would cause the disallowed origin
>> error message you're seeing if the non-standard header isn't supported or
>> not, but if it is, there must be some way to disable that within the
>> application, or this might get kinda complicated to get working.
>>
>> Either way, are you sure that the port on your server isn't the issue?
>> From doing a little reading, it seems that since you're using a
>> non-standard port, the 'Origin' header your site will be submitting should
>> look like this:
>>
>> Origin: http://triggerfish2.nmfs.noaa.gov:9992
>>
>> It's possible that that might not match the rules in our '
>> Access-Control-Allow-Origin' setting, if it's only a plain string
>> comparison or something that Apache does.
>>
>> Micah
>>
>>
>>
>> On 6/18/2013 2:41 PM, Tim Haverland - NOAA Federal wrote:
>>
>> I don't know the inner workings of our content management system, so not
>> sure what's sending the x-requested-with header; however, I read that this
>> is pretty common with Ajax requests, especially from jQuery.
>>
>>
>> On Tue, Jun 18, 2013 at 2:22 PM, Micah Wengren <micah.wengren at noaa.gov>wrote:
>>
>>>  Hi open.ogc at list.woc.noaa.gov,
>>>
>>> I'm sending this thread I've been on with Tim back to the email list to
>>> see if we can expedite troubleshooting what the issue is with a CORS
>>> request from Tim's development server to services.ogc.noaa.gov. He's
>>> connecting from:
>>>
>>> http://triggerfish2.nmfs.noaa.gov:9992
>>>
>>> and trying to display one of our services on an OpenLayers map (and do a
>>> GetFeatureInfo request, which leads to the need  for CORS support).
>>>
>>>
>>> I don't really have the answer to his question, anyone at the WOC know
>>> about accepting non-standard headers?
>>>
>>> Tim, do you know why this header is required from your side, and what
>>> the server should be doing with it?
>>>
>>> Thanks,
>>> Micah
>>>
>>> On 6/18/2013 2:05 PM, Tim Haverland - NOAA Federal wrote:
>>>
>>> Yeah, doesn't look like the port is an issue, however, my request is
>>> sent with these headers:
>>>
>>>
>>>    1. Access-Control-Request-Headers:
>>>    origin, x-requested-with
>>>
>>>
>>>  I've read that the server may need to accept "non-standard" headers. x-requested-with is
>>> a non-standard header. Is this accepted on the server side?
>>>
>>>  Tim
>>>
>>>
>>> On Tue, Jun 18, 2013 at 1:35 PM, Tim Haverland - NOAA Federal <
>>> tim.haverland at noaa.gov> wrote:
>>>
>>>> yes, response header says:
>>>>
>>>>    1. Access-Control-Allow-Origin:
>>>>    *.noaa.gov
>>>>
>>>>
>>>>
>>>> On Tue, Jun 18, 2013 at 1:32 PM, Micah Wengren - NOAA Federal <
>>>> micah.wengren at noaa.gov> wrote:
>>>>
>>>>> Hi Tim,
>>>>>
>>>>> I don't know what bearing ports have on CORS.  Everything from
>>>>> noaa.gov should be allowed though.  If you examine http headers with
>>>>> firebug or something you should be able to see the rule Chi added in the
>>>>> header list.  I believe he would have added it for both http and https, but
>>>>> I'd have to check. Not at my machine right now. It's more important for
>>>>> http in this case...
>>>>>
>>>>> Micah
>>>>>
>>>>>
>>>>>
>>>>> On Tuesday, June 18, 2013, Tim Haverland - NOAA Federal <
>>>>> tim.haverland at noaa.gov> wrote:
>>>>> > Micah, is CORS supported on the production version of geoserver? I'm
>>>>> trying to implement my map in our content management system, and get the
>>>>> following error:
>>>>> > Origin http://triggerfish2.nmfs.noaa.gov:9992 is not allowed by
>>>>> Access-Control-Allow-Origin.
>>>>> >
>>>>> > Maybe it's the port that's throwing things off?
>>>>> > Tim
>>>>> >
>>>>> > On Thu, Jun 13, 2013 at 1:27 PM, Micah Wengren - NOAA Federal <
>>>>> micah.wengren at noaa.gov> wrote:
>>>>> >>
>>>>> >> Hi Tim,
>>>>> >>
>>>>> >> We have *.noaa.gov enabled anyway for CORS support now.  If you
>>>>> can copy your openlayers page to your dev server and test it out and let me
>>>>> know if it works, that would be great. Whenever you get a chance, no rush.
>>>>> >>
>>>>>
>>>>
>>>
>>
>>
>>  --
>> *Tim Haverland*
>> Acting Operations Branch Chief
>> NOAA Fisheries Office of Science and Technology
>> 1315 East-West Highway
>> SSMC3 Rm 12303
>> Silver Spring, MD 20910
>> 301-427-8137
>>
>>
>>
>
>
>  --
> *Tim Haverland*
> Acting Operations Branch Chief
> NOAA Fisheries Office of Science and Technology
> 1315 East-West Highway
> SSMC3 Rm 12303
> Silver Spring, MD 20910
> 301-427-8137
>
>
>


-- 
*Tim Haverland*
Acting Operations Branch Chief
NOAA Fisheries Office of Science and Technology
1315 East-West Highway
SSMC3 Rm 12303
Silver Spring, MD 20910
301-427-8137
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.woc.noaa.gov/pipermail/open.ogc/attachments/20130619/20b8133b/attachment-0001.html>

More information about the Open.ogc mailing list