[Open.ogc] CORS Support for services.ogc.noaa.gov
Micah Wengren
micah.wengren at noaa.gov
Thu Jun 20 12:36:05 UTC 2013
I think it may involve a more complicated way to allow by TLD or
.noaa.gov. Like you said yesterday Chi *.noaa.gov might be a valid
value for that header. The server might need to dynamically read the
Origin header from the request and return the same URL if it matches a
rule. See:
http://www.cameronstokes.com/2010/12/26/cross-origin-resource-sharing-and-apache-httpd/
or
http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains
Might be more complicated than we expected to allow a specific domain
instead of "*".
Micah
On 6/19/2013 4:25 PM, Tim Haverland - NOAA Federal wrote:
> Chi - if services.ogc.noaa.gov <http://services.ogc.noaa.gov> does not
> allow the header x-requested-with, and openlayers is sending that
> header, wouldn't that be a likely source of a problem?
>
> I agree that the error message points to an Origin issue, not headers,
> but it's possible that the error reported by chrome is not that
> helpful in pinpointing the actual problem.
>
> Regarding the Origin, my request is coming from a noaa.gov
> <http://noaa.gov> server, so I can't think of any other reason why my
> request is being rejected on an Origin basis. You are accepting
> *.noaa.gov <http://noaa.gov> so I'd think it would be accepted.
>
> Tim
>
>
>
> On Wed, Jun 19, 2013 at 3:01 PM, Micah Wengren <micah.wengren at noaa.gov
> <mailto:micah.wengren at noaa.gov>> wrote:
>
> Chi, I think it's the best option we have from a troubleshooting
> perspective. Other than that, I don't really have an answer
> myself, this particular topic isn't an area I'm especially
> familiar with. It would be nice to see what is required in order
> to support this type of communication with services.ogc.noaa.gov
> <http://services.ogc.noaa.gov> from NOAA users who want to deploy
> simple web pages connecting to the services. Tim's use case is a
> good model for what other users might want.
>
> Any suggestions welcome for what else to test though. It might be
> that we need to tell users that their
> Access-Control-Request-Headers needs to not contain any custom
> header names in order for CORS to work (if this was indeed the
> cause for the failure message).
>
> Micah
>
>
> On 6/19/2013 2:20 PM, Chi Kang - NOAA Federal wrote:
>
> Explain to me why you think allowing
> Access-Control-Request-Headers:
> x-requested-with would solve this problem?
>
>
> On Tue, Jun 18, 2013 at 5:33 PM, Tim Haverland - NOAA Federal
> <tim.haverland at noaa.gov <mailto:tim.haverland at noaa.gov>> wrote:
>
> OK, I was able to publish my page to our test server, and
> there's no port
> appended to the origin:
>
> Accept:
> */*
> Accept-Encoding:
> gzip,deflate,sdch
> Accept-Language:
> en-US,en;q=0.8
> Access-Control-Request-Headers:
> origin, x-requested-with
> Access-Control-Request-Method:
> GET
> Cache-Control:
> no-cache
> Connection:
> keep-alive
> Host:
> services.ogc.noaa.gov <http://services.ogc.noaa.gov>
> Origin:
> http://www.st-test.nmfs.noaa.gov
> Pragma:
> no-cache
> Referer:
> http://www.st-test.nmfs.noaa.gov/appstech/map-test
> User-Agent:
> Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
> (KHTML, like Gecko)
> Chrome/27.0.1453.110 Safari/537.36
>
>
> Still get the error:
>
> Origin http://www.st-test.nmfs.noaa.gov is not allowed by
> Access-Control-Allow-Origin
>
> WOC, can you allow the header x-requested-with to see if
> that fixes the
> problem?
>
> Tim
>
>
> On Tue, Jun 18, 2013 at 4:26 PM, Micah Wengren
> <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>>
> wrote:
>
> Tim,
>
> I found this:
> http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request
>
> It sounds like jQuery or some part of the CMS is
> trying to ask whether the
> server will accept a header 'x-requested-with'. I'm
> sure that's not
> required for OpenLayers, but it's being inserted
> anyway by some part of your
> site code. I don't know if that would cause the
> disallowed origin error
> message you're seeing if the non-standard header isn't
> supported or not, but
> if it is, there must be some way to disable that
> within the application, or
> this might get kinda complicated to get working.
>
> Either way, are you sure that the port on your server
> isn't the issue?
> From doing a little reading, it seems that since
> you're using a non-standard
> port, the 'Origin' header your site will be submitting
> should look like
> this:
>
> Origin: http://triggerfish2.nmfs.noaa.gov:9992
>
> It's possible that that might not match the rules in our
> 'Access-Control-Allow-Origin' setting, if it's only a
> plain string
> comparison or something that Apache does.
>
> Micah
>
>
>
> On 6/18/2013 2:41 PM, Tim Haverland - NOAA Federal wrote:
>
> I don't know the inner workings of our content
> management system, so not
> sure what's sending the x-requested-with header;
> however, I read that this
> is pretty common with Ajax requests, especially from
> jQuery.
>
>
> On Tue, Jun 18, 2013 at 2:22 PM, Micah Wengren
> <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>>
> wrote:
>
> Hi open.ogc at list.woc.noaa.gov
> <mailto:open.ogc at list.woc.noaa.gov>,
>
> I'm sending this thread I've been on with Tim back
> to the email list to
> see if we can expedite troubleshooting what the
> issue is with a CORS request
> from Tim's development server to
> services.ogc.noaa.gov
> <http://services.ogc.noaa.gov>. He's connecting
> from:
>
> http://triggerfish2.nmfs.noaa.gov:9992
>
> and trying to display one of our services on an
> OpenLayers map (and do a
> GetFeatureInfo request, which leads to the need
> for CORS support).
>
>
> I don't really have the answer to his question,
> anyone at the WOC know
> about accepting non-standard headers?
>
> Tim, do you know why this header is required from
> your side, and what the
> server should be doing with it?
>
> Thanks,
> Micah
>
> On 6/18/2013 2:05 PM, Tim Haverland - NOAA Federal
> wrote:
>
> Yeah, doesn't look like the port is an issue,
> however, my request is sent
> with these headers:
>
> Access-Control-Request-Headers:
> origin, x-requested-with
>
>
> I've read that the server may need to accept
> "non-standard" headers.
> x-requested-with is a non-standard header. Is this
> accepted on the server
> side?
>
> Tim
>
>
> On Tue, Jun 18, 2013 at 1:35 PM, Tim Haverland -
> NOAA Federal
> <tim.haverland at noaa.gov
> <mailto:tim.haverland at noaa.gov>> wrote:
>
> yes, response header says:
>
> Access-Control-Allow-Origin:
> *.noaa.gov <http://noaa.gov>
>
>
>
> On Tue, Jun 18, 2013 at 1:32 PM, Micah Wengren
> - NOAA Federal
> <micah.wengren at noaa.gov
> <mailto:micah.wengren at noaa.gov>> wrote:
>
> Hi Tim,
>
> I don't know what bearing ports have on
> CORS. Everything from noaa.gov
> <http://noaa.gov>
> should be allowed though. If you examine
> http headers with firebug or
> something you should be able to see the
> rule Chi added in the header list.
> I believe he would have added it for both
> http and https, but I'd have to
> check. Not at my machine right now. It's
> more important for http in this
> case...
>
> Micah
>
>
>
> On Tuesday, June 18, 2013, Tim Haverland -
> NOAA Federal
> <tim.haverland at noaa.gov
> <mailto:tim.haverland at noaa.gov>> wrote:
>
> Micah, is CORS supported on the
> production version of geoserver? I'm
> trying to implement my map in our
> content management system, and get the
> following error:
> Origin
> http://triggerfish2.nmfs.noaa.gov:9992
> is not allowed by
> Access-Control-Allow-Origin.
>
> Maybe it's the port that's throwing
> things off?
> Tim
>
> On Thu, Jun 13, 2013 at 1:27 PM, Micah
> Wengren - NOAA Federal
> <micah.wengren at noaa.gov
> <mailto:micah.wengren at noaa.gov>> wrote:
>
> Hi Tim,
>
> We have *.noaa.gov
> <http://noaa.gov> enabled anyway
> for CORS support now. If you can
> copy your openlayers page to your
> dev server and test it out and let
> me know
> if it works, that would be great.
> Whenever you get a chance, no rush.
>
>
>
>
> --
> Tim Haverland
> Acting Operations Branch Chief
> NOAA Fisheries Office of Science and Technology
> 1315 East-West Highway
> SSMC3 Rm 12303
> Silver Spring, MD 20910
> 301-427-8137 <tel:301-427-8137>
>
>
>
>
> --
> Tim Haverland
> Acting Operations Branch Chief
> NOAA Fisheries Office of Science and Technology
> 1315 East-West Highway
> SSMC3 Rm 12303
> Silver Spring, MD 20910
> 301-427-8137 <tel:301-427-8137>
>
> _______________________________________________
> Open.ogc mailing list
> Open.ogc at list.woc.noaa.gov <mailto:Open.ogc at list.woc.noaa.gov>
> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>
>
>
>
>
>
>
> --
> *Tim Haverland*
> Acting Operations Branch Chief
> NOAA Fisheries Office of Science and Technology
> 1315 East-West Highway
> SSMC3 Rm 12303
> Silver Spring, MD 20910
> 301-427-8137
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.woc.noaa.gov/pipermail/open.ogc/attachments/20130620/1c0a8fc9/attachment-0001.html>
More information about the Open.ogc
mailing list