[Open.ogc] CORS Support for services.ogc.noaa.gov

Micah Wengren micah.wengren at noaa.gov
Wed Jun 19 19:01:00 UTC 2013 

Chi,  I think it's the best option we have from a troubleshooting 
perspective.  Other than that, I don't really have an answer myself, 
this particular topic isn't an area I'm especially familiar with.  It 
would be nice to see what is required in order to support this type of 
communication with services.ogc.noaa.gov from NOAA users who want to 
deploy simple web pages connecting to the services.  Tim's use case is a 
good model for what other users might want.

Any suggestions welcome for what else to test though.  It might be that 
we need to tell users that their Access-Control-Request-Headers needs to 
not contain any custom header names in order for CORS to work (if this 
was indeed the cause for the failure message).

Micah

On 6/19/2013 2:20 PM, Chi Kang - NOAA Federal wrote:
> Explain to me why you think allowing Access-Control-Request-Headers:
> x-requested-with would solve this problem?
>
>
> On Tue, Jun 18, 2013 at 5:33 PM, Tim Haverland - NOAA Federal
> <tim.haverland at noaa.gov> wrote:
>> OK, I was able to publish my page to our test server, and there's no port
>> appended to the origin:
>>
>> Accept:
>> */*
>> Accept-Encoding:
>> gzip,deflate,sdch
>> Accept-Language:
>> en-US,en;q=0.8
>> Access-Control-Request-Headers:
>> origin, x-requested-with
>> Access-Control-Request-Method:
>> GET
>> Cache-Control:
>> no-cache
>> Connection:
>> keep-alive
>> Host:
>> services.ogc.noaa.gov
>> Origin:
>> http://www.st-test.nmfs.noaa.gov
>> Pragma:
>> no-cache
>> Referer:
>> http://www.st-test.nmfs.noaa.gov/appstech/map-test
>> User-Agent:
>> Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
>> Chrome/27.0.1453.110 Safari/537.36
>>
>>
>> Still get the error:
>>
>> Origin http://www.st-test.nmfs.noaa.gov is not allowed by
>> Access-Control-Allow-Origin
>>
>> WOC, can you allow the header x-requested-with to see if that fixes the
>> problem?
>>
>> Tim
>>
>>
>> On Tue, Jun 18, 2013 at 4:26 PM, Micah Wengren <micah.wengren at noaa.gov>
>> wrote:
>>> Tim,
>>>
>>> I found this:
>>> http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request
>>>
>>> It sounds like jQuery or some part of the CMS is trying to ask whether the
>>> server will accept a header 'x-requested-with'.  I'm sure that's not
>>> required for OpenLayers, but it's being inserted anyway by some part of your
>>> site code.  I don't know if that would cause the disallowed origin error
>>> message you're seeing if the non-standard header isn't supported or not, but
>>> if it is, there must be some way to disable that within the application, or
>>> this might get kinda complicated to get working.
>>>
>>> Either way, are you sure that the port on your server isn't the issue?
>>>  From doing a little reading, it seems that since you're using a non-standard
>>> port, the 'Origin' header your site will be submitting should look like
>>> this:
>>>
>>> Origin: http://triggerfish2.nmfs.noaa.gov:9992
>>>
>>> It's possible that that might not match the rules in our
>>> 'Access-Control-Allow-Origin' setting, if it's only a plain string
>>> comparison or something that Apache does.
>>>
>>> Micah
>>>
>>>
>>>
>>> On 6/18/2013 2:41 PM, Tim Haverland - NOAA Federal wrote:
>>>
>>> I don't know the inner workings of our content management system, so not
>>> sure what's sending the x-requested-with header; however, I read that this
>>> is pretty common with Ajax requests, especially from jQuery.
>>>
>>>
>>> On Tue, Jun 18, 2013 at 2:22 PM, Micah Wengren <micah.wengren at noaa.gov>
>>> wrote:
>>>> Hi open.ogc at list.woc.noaa.gov,
>>>>
>>>> I'm sending this thread I've been on with Tim back to the email list to
>>>> see if we can expedite troubleshooting what the issue is with a CORS request
>>>> from Tim's development server to services.ogc.noaa.gov. He's connecting
>>>> from:
>>>>
>>>> http://triggerfish2.nmfs.noaa.gov:9992
>>>>
>>>> and trying to display one of our services on an OpenLayers map (and do a
>>>> GetFeatureInfo request, which leads to the need  for CORS support).
>>>>
>>>>
>>>> I don't really have the answer to his question, anyone at the WOC know
>>>> about accepting non-standard headers?
>>>>
>>>> Tim, do you know why this header is required from your side, and what the
>>>> server should be doing with it?
>>>>
>>>> Thanks,
>>>> Micah
>>>>
>>>> On 6/18/2013 2:05 PM, Tim Haverland - NOAA Federal wrote:
>>>>
>>>> Yeah, doesn't look like the port is an issue, however, my request is sent
>>>> with these headers:
>>>>
>>>> Access-Control-Request-Headers:
>>>> origin, x-requested-with
>>>>
>>>>
>>>> I've read that the server may need to accept "non-standard" headers.
>>>> x-requested-with is a non-standard header. Is this accepted on the server
>>>> side?
>>>>
>>>> Tim
>>>>
>>>>
>>>> On Tue, Jun 18, 2013 at 1:35 PM, Tim Haverland - NOAA Federal
>>>> <tim.haverland at noaa.gov> wrote:
>>>>> yes, response header says:
>>>>>
>>>>> Access-Control-Allow-Origin:
>>>>> *.noaa.gov
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Jun 18, 2013 at 1:32 PM, Micah Wengren - NOAA Federal
>>>>> <micah.wengren at noaa.gov> wrote:
>>>>>> Hi Tim,
>>>>>>
>>>>>> I don't know what bearing ports have on CORS.  Everything from noaa.gov
>>>>>> should be allowed though.  If you examine http headers with firebug or
>>>>>> something you should be able to see the rule Chi added in the header list.
>>>>>> I believe he would have added it for both http and https, but I'd have to
>>>>>> check. Not at my machine right now. It's more important for http in this
>>>>>> case...
>>>>>>
>>>>>> Micah
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tuesday, June 18, 2013, Tim Haverland - NOAA Federal
>>>>>> <tim.haverland at noaa.gov> wrote:
>>>>>>> Micah, is CORS supported on the production version of geoserver? I'm
>>>>>>> trying to implement my map in our content management system, and get the
>>>>>>> following error:
>>>>>>> Origin http://triggerfish2.nmfs.noaa.gov:9992 is not allowed by
>>>>>>> Access-Control-Allow-Origin.
>>>>>>>
>>>>>>> Maybe it's the port that's throwing things off?
>>>>>>> Tim
>>>>>>>
>>>>>>> On Thu, Jun 13, 2013 at 1:27 PM, Micah Wengren - NOAA Federal
>>>>>>> <micah.wengren at noaa.gov> wrote:
>>>>>>>> Hi Tim,
>>>>>>>>
>>>>>>>> We have *.noaa.gov enabled anyway for CORS support now.  If you can
>>>>>>>> copy your openlayers page to your dev server and test it out and let me know
>>>>>>>> if it works, that would be great. Whenever you get a chance, no rush.
>>>>>>>>
>>>>
>>>
>>>
>>> --
>>> Tim Haverland
>>> Acting Operations Branch Chief
>>> NOAA Fisheries Office of Science and Technology
>>> 1315 East-West Highway
>>> SSMC3 Rm 12303
>>> Silver Spring, MD 20910
>>> 301-427-8137
>>>
>>>
>>
>>
>> --
>> Tim Haverland
>> Acting Operations Branch Chief
>> NOAA Fisheries Office of Science and Technology
>> 1315 East-West Highway
>> SSMC3 Rm 12303
>> Silver Spring, MD 20910
>> 301-427-8137
>>
>> _______________________________________________
>> Open.ogc mailing list
>> Open.ogc at list.woc.noaa.gov
>> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>>
>
>

More information about the Open.ogc mailing list