[Open.ogc] CORS Support for services.ogc.noaa.gov
Chi Kang - NOAA Federal
chi.y.kang at noaa.gov
Fri Jun 21 15:25:03 UTC 2013
Yea, i'm reading the same thing here. For the sake of argument /
testing let me try "*" and have Tim validate this.
On Thu, Jun 20, 2013 at 8:36 AM, Micah Wengren <micah.wengren at noaa.gov> wrote:
> I think it may involve a more complicated way to allow by TLD or .noaa.gov.
> Like you said yesterday Chi *.noaa.gov might be a valid value for that
> header. The server might need to dynamically read the Origin header from
> the request and return the same URL if it matches a rule. See:
>
> http://www.cameronstokes.com/2010/12/26/cross-origin-resource-sharing-and-apache-httpd/
> or
> http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains
>
> Might be more complicated than we expected to allow a specific domain
> instead of "*".
>
> Micah
>
>
>
> On 6/19/2013 4:25 PM, Tim Haverland - NOAA Federal wrote:
>
> Chi - if services.ogc.noaa.gov does not allow the header x-requested-with,
> and openlayers is sending that header, wouldn't that be a likely source of a
> problem?
>
> I agree that the error message points to an Origin issue, not headers, but
> it's possible that the error reported by chrome is not that helpful in
> pinpointing the actual problem.
>
> Regarding the Origin, my request is coming from a noaa.gov server, so I
> can't think of any other reason why my request is being rejected on an
> Origin basis. You are accepting *.noaa.gov so I'd think it would be
> accepted.
>
> Tim
>
>
>
> On Wed, Jun 19, 2013 at 3:01 PM, Micah Wengren <micah.wengren at noaa.gov>
> wrote:
>>
>> Chi, I think it's the best option we have from a troubleshooting
>> perspective. Other than that, I don't really have an answer myself, this
>> particular topic isn't an area I'm especially familiar with. It would be
>> nice to see what is required in order to support this type of communication
>> with services.ogc.noaa.gov from NOAA users who want to deploy simple web
>> pages connecting to the services. Tim's use case is a good model for what
>> other users might want.
>>
>> Any suggestions welcome for what else to test though. It might be that we
>> need to tell users that their Access-Control-Request-Headers needs to not
>> contain any custom header names in order for CORS to work (if this was
>> indeed the cause for the failure message).
>>
>> Micah
>>
>>
>> On 6/19/2013 2:20 PM, Chi Kang - NOAA Federal wrote:
>>>
>>> Explain to me why you think allowing Access-Control-Request-Headers:
>>> x-requested-with would solve this problem?
>>>
>>>
>>> On Tue, Jun 18, 2013 at 5:33 PM, Tim Haverland - NOAA Federal
>>> <tim.haverland at noaa.gov> wrote:
>>>>
>>>> OK, I was able to publish my page to our test server, and there's no
>>>> port
>>>> appended to the origin:
>>>>
>>>> Accept:
>>>> */*
>>>> Accept-Encoding:
>>>> gzip,deflate,sdch
>>>> Accept-Language:
>>>> en-US,en;q=0.8
>>>> Access-Control-Request-Headers:
>>>> origin, x-requested-with
>>>> Access-Control-Request-Method:
>>>> GET
>>>> Cache-Control:
>>>> no-cache
>>>> Connection:
>>>> keep-alive
>>>> Host:
>>>> services.ogc.noaa.gov
>>>> Origin:
>>>> http://www.st-test.nmfs.noaa.gov
>>>> Pragma:
>>>> no-cache
>>>> Referer:
>>>> http://www.st-test.nmfs.noaa.gov/appstech/map-test
>>>> User-Agent:
>>>> Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
>>>> Gecko)
>>>> Chrome/27.0.1453.110 Safari/537.36
>>>>
>>>>
>>>> Still get the error:
>>>>
>>>> Origin http://www.st-test.nmfs.noaa.gov is not allowed by
>>>> Access-Control-Allow-Origin
>>>>
>>>> WOC, can you allow the header x-requested-with to see if that fixes the
>>>> problem?
>>>>
>>>> Tim
>>>>
>>>>
>>>> On Tue, Jun 18, 2013 at 4:26 PM, Micah Wengren <micah.wengren at noaa.gov>
>>>> wrote:
>>>>>
>>>>> Tim,
>>>>>
>>>>> I found this:
>>>>>
>>>>> http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request
>>>>>
>>>>> It sounds like jQuery or some part of the CMS is trying to ask whether
>>>>> the
>>>>> server will accept a header 'x-requested-with'. I'm sure that's not
>>>>> required for OpenLayers, but it's being inserted anyway by some part of
>>>>> your
>>>>> site code. I don't know if that would cause the disallowed origin
>>>>> error
>>>>> message you're seeing if the non-standard header isn't supported or
>>>>> not, but
>>>>> if it is, there must be some way to disable that within the
>>>>> application, or
>>>>> this might get kinda complicated to get working.
>>>>>
>>>>> Either way, are you sure that the port on your server isn't the issue?
>>>>> From doing a little reading, it seems that since you're using a
>>>>> non-standard
>>>>> port, the 'Origin' header your site will be submitting should look like
>>>>> this:
>>>>>
>>>>> Origin: http://triggerfish2.nmfs.noaa.gov:9992
>>>>>
>>>>> It's possible that that might not match the rules in our
>>>>> 'Access-Control-Allow-Origin' setting, if it's only a plain string
>>>>> comparison or something that Apache does.
>>>>>
>>>>> Micah
>>>>>
>>>>>
>>>>>
>>>>> On 6/18/2013 2:41 PM, Tim Haverland - NOAA Federal wrote:
>>>>>
>>>>> I don't know the inner workings of our content management system, so
>>>>> not
>>>>> sure what's sending the x-requested-with header; however, I read that
>>>>> this
>>>>> is pretty common with Ajax requests, especially from jQuery.
>>>>>
>>>>>
>>>>> On Tue, Jun 18, 2013 at 2:22 PM, Micah Wengren <micah.wengren at noaa.gov>
>>>>> wrote:
>>>>>>
>>>>>> Hi open.ogc at list.woc.noaa.gov,
>>>>>>
>>>>>> I'm sending this thread I've been on with Tim back to the email list
>>>>>> to
>>>>>> see if we can expedite troubleshooting what the issue is with a CORS
>>>>>> request
>>>>>> from Tim's development server to services.ogc.noaa.gov. He's
>>>>>> connecting
>>>>>> from:
>>>>>>
>>>>>> http://triggerfish2.nmfs.noaa.gov:9992
>>>>>>
>>>>>> and trying to display one of our services on an OpenLayers map (and do
>>>>>> a
>>>>>> GetFeatureInfo request, which leads to the need for CORS support).
>>>>>>
>>>>>>
>>>>>> I don't really have the answer to his question, anyone at the WOC know
>>>>>> about accepting non-standard headers?
>>>>>>
>>>>>> Tim, do you know why this header is required from your side, and what
>>>>>> the
>>>>>> server should be doing with it?
>>>>>>
>>>>>> Thanks,
>>>>>> Micah
>>>>>>
>>>>>> On 6/18/2013 2:05 PM, Tim Haverland - NOAA Federal wrote:
>>>>>>
>>>>>> Yeah, doesn't look like the port is an issue, however, my request is
>>>>>> sent
>>>>>> with these headers:
>>>>>>
>>>>>> Access-Control-Request-Headers:
>>>>>> origin, x-requested-with
>>>>>>
>>>>>>
>>>>>> I've read that the server may need to accept "non-standard" headers.
>>>>>> x-requested-with is a non-standard header. Is this accepted on the
>>>>>> server
>>>>>> side?
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>>
>>>>>> On Tue, Jun 18, 2013 at 1:35 PM, Tim Haverland - NOAA Federal
>>>>>> <tim.haverland at noaa.gov> wrote:
>>>>>>>
>>>>>>> yes, response header says:
>>>>>>>
>>>>>>> Access-Control-Allow-Origin:
>>>>>>> *.noaa.gov
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jun 18, 2013 at 1:32 PM, Micah Wengren - NOAA Federal
>>>>>>> <micah.wengren at noaa.gov> wrote:
>>>>>>>>
>>>>>>>> Hi Tim,
>>>>>>>>
>>>>>>>> I don't know what bearing ports have on CORS. Everything from
>>>>>>>> noaa.gov
>>>>>>>> should be allowed though. If you examine http headers with firebug
>>>>>>>> or
>>>>>>>> something you should be able to see the rule Chi added in the header
>>>>>>>> list.
>>>>>>>> I believe he would have added it for both http and https, but I'd
>>>>>>>> have to
>>>>>>>> check. Not at my machine right now. It's more important for http in
>>>>>>>> this
>>>>>>>> case...
>>>>>>>>
>>>>>>>> Micah
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tuesday, June 18, 2013, Tim Haverland - NOAA Federal
>>>>>>>> <tim.haverland at noaa.gov> wrote:
>>>>>>>>>
>>>>>>>>> Micah, is CORS supported on the production version of geoserver?
>>>>>>>>> I'm
>>>>>>>>> trying to implement my map in our content management system, and
>>>>>>>>> get the
>>>>>>>>> following error:
>>>>>>>>> Origin http://triggerfish2.nmfs.noaa.gov:9992 is not allowed by
>>>>>>>>> Access-Control-Allow-Origin.
>>>>>>>>>
>>>>>>>>> Maybe it's the port that's throwing things off?
>>>>>>>>> Tim
>>>>>>>>>
>>>>>>>>> On Thu, Jun 13, 2013 at 1:27 PM, Micah Wengren - NOAA Federal
>>>>>>>>> <micah.wengren at noaa.gov> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Tim,
>>>>>>>>>>
>>>>>>>>>> We have *.noaa.gov enabled anyway for CORS support now. If you
>>>>>>>>>> can
>>>>>>>>>> copy your openlayers page to your dev server and test it out and
>>>>>>>>>> let me know
>>>>>>>>>> if it works, that would be great. Whenever you get a chance, no
>>>>>>>>>> rush.
>>>>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Tim Haverland
>>>>> Acting Operations Branch Chief
>>>>> NOAA Fisheries Office of Science and Technology
>>>>> 1315 East-West Highway
>>>>> SSMC3 Rm 12303
>>>>> Silver Spring, MD 20910
>>>>> 301-427-8137
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Tim Haverland
>>>> Acting Operations Branch Chief
>>>> NOAA Fisheries Office of Science and Technology
>>>> 1315 East-West Highway
>>>> SSMC3 Rm 12303
>>>> Silver Spring, MD 20910
>>>> 301-427-8137
>>>>
>>>> _______________________________________________
>>>> Open.ogc mailing list
>>>> Open.ogc at list.woc.noaa.gov
>>>> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>>>>
>>>
>>>
>>
>
>
>
> --
> Tim Haverland
> Acting Operations Branch Chief
> NOAA Fisheries Office of Science and Technology
> 1315 East-West Highway
> SSMC3 Rm 12303
> Silver Spring, MD 20910
> 301-427-8137
>
>
--
Chi Y Kang
Principal Engineer
Phone: 301.628.5642
Cell: 240.338.1059
More information about the Open.ogc
mailing list