[Open.ogc] CORS Support for services.ogc.noaa.gov
Tim Haverland - NOAA Federal
tim.haverland at noaa.gov
Fri Jun 21 15:35:04 UTC 2013
Thanks Chi - standing by to test as soon as you can implement this.
Tim
On Fri, Jun 21, 2013 at 11:25 AM, Chi Kang - NOAA Federal <
chi.y.kang at noaa.gov> wrote:
> Yea, i'm reading the same thing here. For the sake of argument /
> testing let me try "*" and have Tim validate this.
>
>
> On Thu, Jun 20, 2013 at 8:36 AM, Micah Wengren <micah.wengren at noaa.gov>
> wrote:
> > I think it may involve a more complicated way to allow by TLD or .
> noaa.gov.
> > Like you said yesterday Chi *.noaa.gov might be a valid value for that
> > header. The server might need to dynamically read the Origin header from
> > the request and return the same URL if it matches a rule. See:
> >
> >
> http://www.cameronstokes.com/2010/12/26/cross-origin-resource-sharing-and-apache-httpd/
> > or
> >
> http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains
> >
> > Might be more complicated than we expected to allow a specific domain
> > instead of "*".
> >
> > Micah
> >
> >
> >
> > On 6/19/2013 4:25 PM, Tim Haverland - NOAA Federal wrote:
> >
> > Chi - if services.ogc.noaa.gov does not allow the header
> x-requested-with,
> > and openlayers is sending that header, wouldn't that be a likely source
> of a
> > problem?
> >
> > I agree that the error message points to an Origin issue, not headers,
> but
> > it's possible that the error reported by chrome is not that helpful in
> > pinpointing the actual problem.
> >
> > Regarding the Origin, my request is coming from a noaa.gov server, so I
> > can't think of any other reason why my request is being rejected on an
> > Origin basis. You are accepting *.noaa.gov so I'd think it would be
> > accepted.
> >
> > Tim
> >
> >
> >
> > On Wed, Jun 19, 2013 at 3:01 PM, Micah Wengren <micah.wengren at noaa.gov>
> > wrote:
> >>
> >> Chi, I think it's the best option we have from a troubleshooting
> >> perspective. Other than that, I don't really have an answer myself,
> this
> >> particular topic isn't an area I'm especially familiar with. It would
> be
> >> nice to see what is required in order to support this type of
> communication
> >> with services.ogc.noaa.gov from NOAA users who want to deploy simple
> web
> >> pages connecting to the services. Tim's use case is a good model for
> what
> >> other users might want.
> >>
> >> Any suggestions welcome for what else to test though. It might be that
> we
> >> need to tell users that their Access-Control-Request-Headers needs to
> not
> >> contain any custom header names in order for CORS to work (if this was
> >> indeed the cause for the failure message).
> >>
> >> Micah
> >>
> >>
> >> On 6/19/2013 2:20 PM, Chi Kang - NOAA Federal wrote:
> >>>
> >>> Explain to me why you think allowing Access-Control-Request-Headers:
> >>> x-requested-with would solve this problem?
> >>>
> >>>
> >>> On Tue, Jun 18, 2013 at 5:33 PM, Tim Haverland - NOAA Federal
> >>> <tim.haverland at noaa.gov> wrote:
> >>>>
> >>>> OK, I was able to publish my page to our test server, and there's no
> >>>> port
> >>>> appended to the origin:
> >>>>
> >>>> Accept:
> >>>> */*
> >>>> Accept-Encoding:
> >>>> gzip,deflate,sdch
> >>>> Accept-Language:
> >>>> en-US,en;q=0.8
> >>>> Access-Control-Request-Headers:
> >>>> origin, x-requested-with
> >>>> Access-Control-Request-Method:
> >>>> GET
> >>>> Cache-Control:
> >>>> no-cache
> >>>> Connection:
> >>>> keep-alive
> >>>> Host:
> >>>> services.ogc.noaa.gov
> >>>> Origin:
> >>>> http://www.st-test.nmfs.noaa.gov
> >>>> Pragma:
> >>>> no-cache
> >>>> Referer:
> >>>> http://www.st-test.nmfs.noaa.gov/appstech/map-test
> >>>> User-Agent:
> >>>> Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
> >>>> Gecko)
> >>>> Chrome/27.0.1453.110 Safari/537.36
> >>>>
> >>>>
> >>>> Still get the error:
> >>>>
> >>>> Origin http://www.st-test.nmfs.noaa.gov is not allowed by
> >>>> Access-Control-Allow-Origin
> >>>>
> >>>> WOC, can you allow the header x-requested-with to see if that fixes
> the
> >>>> problem?
> >>>>
> >>>> Tim
> >>>>
> >>>>
> >>>> On Tue, Jun 18, 2013 at 4:26 PM, Micah Wengren <
> micah.wengren at noaa.gov>
> >>>> wrote:
> >>>>>
> >>>>> Tim,
> >>>>>
> >>>>> I found this:
> >>>>>
> >>>>>
> http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request
> >>>>>
> >>>>> It sounds like jQuery or some part of the CMS is trying to ask
> whether
> >>>>> the
> >>>>> server will accept a header 'x-requested-with'. I'm sure that's not
> >>>>> required for OpenLayers, but it's being inserted anyway by some part
> of
> >>>>> your
> >>>>> site code. I don't know if that would cause the disallowed origin
> >>>>> error
> >>>>> message you're seeing if the non-standard header isn't supported or
> >>>>> not, but
> >>>>> if it is, there must be some way to disable that within the
> >>>>> application, or
> >>>>> this might get kinda complicated to get working.
> >>>>>
> >>>>> Either way, are you sure that the port on your server isn't the
> issue?
> >>>>> From doing a little reading, it seems that since you're using a
> >>>>> non-standard
> >>>>> port, the 'Origin' header your site will be submitting should look
> like
> >>>>> this:
> >>>>>
> >>>>> Origin: http://triggerfish2.nmfs.noaa.gov:9992
> >>>>>
> >>>>> It's possible that that might not match the rules in our
> >>>>> 'Access-Control-Allow-Origin' setting, if it's only a plain string
> >>>>> comparison or something that Apache does.
> >>>>>
> >>>>> Micah
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 6/18/2013 2:41 PM, Tim Haverland - NOAA Federal wrote:
> >>>>>
> >>>>> I don't know the inner workings of our content management system, so
> >>>>> not
> >>>>> sure what's sending the x-requested-with header; however, I read that
> >>>>> this
> >>>>> is pretty common with Ajax requests, especially from jQuery.
> >>>>>
> >>>>>
> >>>>> On Tue, Jun 18, 2013 at 2:22 PM, Micah Wengren <
> micah.wengren at noaa.gov>
> >>>>> wrote:
> >>>>>>
> >>>>>> Hi open.ogc at list.woc.noaa.gov,
> >>>>>>
> >>>>>> I'm sending this thread I've been on with Tim back to the email list
> >>>>>> to
> >>>>>> see if we can expedite troubleshooting what the issue is with a CORS
> >>>>>> request
> >>>>>> from Tim's development server to services.ogc.noaa.gov. He's
> >>>>>> connecting
> >>>>>> from:
> >>>>>>
> >>>>>> http://triggerfish2.nmfs.noaa.gov:9992
> >>>>>>
> >>>>>> and trying to display one of our services on an OpenLayers map (and
> do
> >>>>>> a
> >>>>>> GetFeatureInfo request, which leads to the need for CORS support).
> >>>>>>
> >>>>>>
> >>>>>> I don't really have the answer to his question, anyone at the WOC
> know
> >>>>>> about accepting non-standard headers?
> >>>>>>
> >>>>>> Tim, do you know why this header is required from your side, and
> what
> >>>>>> the
> >>>>>> server should be doing with it?
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Micah
> >>>>>>
> >>>>>> On 6/18/2013 2:05 PM, Tim Haverland - NOAA Federal wrote:
> >>>>>>
> >>>>>> Yeah, doesn't look like the port is an issue, however, my request is
> >>>>>> sent
> >>>>>> with these headers:
> >>>>>>
> >>>>>> Access-Control-Request-Headers:
> >>>>>> origin, x-requested-with
> >>>>>>
> >>>>>>
> >>>>>> I've read that the server may need to accept "non-standard" headers.
> >>>>>> x-requested-with is a non-standard header. Is this accepted on the
> >>>>>> server
> >>>>>> side?
> >>>>>>
> >>>>>> Tim
> >>>>>>
> >>>>>>
> >>>>>> On Tue, Jun 18, 2013 at 1:35 PM, Tim Haverland - NOAA Federal
> >>>>>> <tim.haverland at noaa.gov> wrote:
> >>>>>>>
> >>>>>>> yes, response header says:
> >>>>>>>
> >>>>>>> Access-Control-Allow-Origin:
> >>>>>>> *.noaa.gov
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On Tue, Jun 18, 2013 at 1:32 PM, Micah Wengren - NOAA Federal
> >>>>>>> <micah.wengren at noaa.gov> wrote:
> >>>>>>>>
> >>>>>>>> Hi Tim,
> >>>>>>>>
> >>>>>>>> I don't know what bearing ports have on CORS. Everything from
> >>>>>>>> noaa.gov
> >>>>>>>> should be allowed though. If you examine http headers with
> firebug
> >>>>>>>> or
> >>>>>>>> something you should be able to see the rule Chi added in the
> header
> >>>>>>>> list.
> >>>>>>>> I believe he would have added it for both http and https, but I'd
> >>>>>>>> have to
> >>>>>>>> check. Not at my machine right now. It's more important for http
> in
> >>>>>>>> this
> >>>>>>>> case...
> >>>>>>>>
> >>>>>>>> Micah
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Tuesday, June 18, 2013, Tim Haverland - NOAA Federal
> >>>>>>>> <tim.haverland at noaa.gov> wrote:
> >>>>>>>>>
> >>>>>>>>> Micah, is CORS supported on the production version of geoserver?
> >>>>>>>>> I'm
> >>>>>>>>> trying to implement my map in our content management system, and
> >>>>>>>>> get the
> >>>>>>>>> following error:
> >>>>>>>>> Origin http://triggerfish2.nmfs.noaa.gov:9992 is not allowed by
> >>>>>>>>> Access-Control-Allow-Origin.
> >>>>>>>>>
> >>>>>>>>> Maybe it's the port that's throwing things off?
> >>>>>>>>> Tim
> >>>>>>>>>
> >>>>>>>>> On Thu, Jun 13, 2013 at 1:27 PM, Micah Wengren - NOAA Federal
> >>>>>>>>> <micah.wengren at noaa.gov> wrote:
> >>>>>>>>>>
> >>>>>>>>>> Hi Tim,
> >>>>>>>>>>
> >>>>>>>>>> We have *.noaa.gov enabled anyway for CORS support now. If you
> >>>>>>>>>> can
> >>>>>>>>>> copy your openlayers page to your dev server and test it out and
> >>>>>>>>>> let me know
> >>>>>>>>>> if it works, that would be great. Whenever you get a chance, no
> >>>>>>>>>> rush.
> >>>>>>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Tim Haverland
> >>>>> Acting Operations Branch Chief
> >>>>> NOAA Fisheries Office of Science and Technology
> >>>>> 1315 East-West Highway
> >>>>> SSMC3 Rm 12303
> >>>>> Silver Spring, MD 20910
> >>>>> 301-427-8137
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>> Tim Haverland
> >>>> Acting Operations Branch Chief
> >>>> NOAA Fisheries Office of Science and Technology
> >>>> 1315 East-West Highway
> >>>> SSMC3 Rm 12303
> >>>> Silver Spring, MD 20910
> >>>> 301-427-8137
> >>>>
> >>>> _______________________________________________
> >>>> Open.ogc mailing list
> >>>> Open.ogc at list.woc.noaa.gov
> >>>> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
> >>>>
> >>>
> >>>
> >>
> >
> >
> >
> > --
> > Tim Haverland
> > Acting Operations Branch Chief
> > NOAA Fisheries Office of Science and Technology
> > 1315 East-West Highway
> > SSMC3 Rm 12303
> > Silver Spring, MD 20910
> > 301-427-8137
> >
> >
>
>
>
> --
> Chi Y Kang
> Principal Engineer
> Phone: 301.628.5642
> Cell: 240.338.1059
>
--
*Tim Haverland*
Acting Operations Branch Chief
NOAA Fisheries Office of Science and Technology
1315 East-West Highway
SSMC3 Rm 12303
Silver Spring, MD 20910
301-427-8137
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.woc.noaa.gov/pipermail/open.ogc/attachments/20130621/674e0551/attachment-0001.html>
More information about the Open.ogc
mailing list