[Open.ogc] CORS Support for services.ogc.noaa.gov
Micah Wengren
micah.wengren at noaa.gov
Fri Jun 21 15:48:56 UTC 2013
Great! Let us know the outcome.....
Micah
On 6/21/2013 11:35 AM, Tim Haverland - NOAA Federal wrote:
> Thanks Chi - standing by to test as soon as you can implement this.
>
> Tim
>
>
> On Fri, Jun 21, 2013 at 11:25 AM, Chi Kang - NOAA Federal
> <chi.y.kang at noaa.gov <mailto:chi.y.kang at noaa.gov>> wrote:
>
> Yea, i'm reading the same thing here. For the sake of argument /
> testing let me try "*" and have Tim validate this.
>
>
> On Thu, Jun 20, 2013 at 8:36 AM, Micah Wengren
> <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>> wrote:
> > I think it may involve a more complicated way to allow by TLD or
> .noaa.gov <http://noaa.gov>.
> > Like you said yesterday Chi *.noaa.gov <http://noaa.gov> might
> be a valid value for that
> > header. The server might need to dynamically read the Origin
> header from
> > the request and return the same URL if it matches a rule. See:
> >
> >
> http://www.cameronstokes.com/2010/12/26/cross-origin-resource-sharing-and-apache-httpd/
> > or
> >
> http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains
> >
> > Might be more complicated than we expected to allow a specific
> domain
> > instead of "*".
> >
> > Micah
> >
> >
> >
> > On 6/19/2013 4:25 PM, Tim Haverland - NOAA Federal wrote:
> >
> > Chi - if services.ogc.noaa.gov <http://services.ogc.noaa.gov>
> does not allow the header x-requested-with,
> > and openlayers is sending that header, wouldn't that be a likely
> source of a
> > problem?
> >
> > I agree that the error message points to an Origin issue, not
> headers, but
> > it's possible that the error reported by chrome is not that
> helpful in
> > pinpointing the actual problem.
> >
> > Regarding the Origin, my request is coming from a noaa.gov
> <http://noaa.gov> server, so I
> > can't think of any other reason why my request is being rejected
> on an
> > Origin basis. You are accepting *.noaa.gov <http://noaa.gov> so
> I'd think it would be
> > accepted.
> >
> > Tim
> >
> >
> >
> > On Wed, Jun 19, 2013 at 3:01 PM, Micah Wengren
> <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>>
> > wrote:
> >>
> >> Chi, I think it's the best option we have from a troubleshooting
> >> perspective. Other than that, I don't really have an answer
> myself, this
> >> particular topic isn't an area I'm especially familiar with.
> It would be
> >> nice to see what is required in order to support this type of
> communication
> >> with services.ogc.noaa.gov <http://services.ogc.noaa.gov> from
> NOAA users who want to deploy simple web
> >> pages connecting to the services. Tim's use case is a good
> model for what
> >> other users might want.
> >>
> >> Any suggestions welcome for what else to test though. It might
> be that we
> >> need to tell users that their Access-Control-Request-Headers
> needs to not
> >> contain any custom header names in order for CORS to work (if
> this was
> >> indeed the cause for the failure message).
> >>
> >> Micah
> >>
> >>
> >> On 6/19/2013 2:20 PM, Chi Kang - NOAA Federal wrote:
> >>>
> >>> Explain to me why you think allowing
> Access-Control-Request-Headers:
> >>> x-requested-with would solve this problem?
> >>>
> >>>
> >>> On Tue, Jun 18, 2013 at 5:33 PM, Tim Haverland - NOAA Federal
> >>> <tim.haverland at noaa.gov <mailto:tim.haverland at noaa.gov>> wrote:
> >>>>
> >>>> OK, I was able to publish my page to our test server, and
> there's no
> >>>> port
> >>>> appended to the origin:
> >>>>
> >>>> Accept:
> >>>> */*
> >>>> Accept-Encoding:
> >>>> gzip,deflate,sdch
> >>>> Accept-Language:
> >>>> en-US,en;q=0.8
> >>>> Access-Control-Request-Headers:
> >>>> origin, x-requested-with
> >>>> Access-Control-Request-Method:
> >>>> GET
> >>>> Cache-Control:
> >>>> no-cache
> >>>> Connection:
> >>>> keep-alive
> >>>> Host:
> >>>> services.ogc.noaa.gov <http://services.ogc.noaa.gov>
> >>>> Origin:
> >>>> http://www.st-test.nmfs.noaa.gov
> >>>> Pragma:
> >>>> no-cache
> >>>> Referer:
> >>>> http://www.st-test.nmfs.noaa.gov/appstech/map-test
> >>>> User-Agent:
> >>>> Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
> (KHTML, like
> >>>> Gecko)
> >>>> Chrome/27.0.1453.110 Safari/537.36
> >>>>
> >>>>
> >>>> Still get the error:
> >>>>
> >>>> Origin http://www.st-test.nmfs.noaa.gov is not allowed by
> >>>> Access-Control-Allow-Origin
> >>>>
> >>>> WOC, can you allow the header x-requested-with to see if that
> fixes the
> >>>> problem?
> >>>>
> >>>> Tim
> >>>>
> >>>>
> >>>> On Tue, Jun 18, 2013 at 4:26 PM, Micah Wengren
> <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>>
> >>>> wrote:
> >>>>>
> >>>>> Tim,
> >>>>>
> >>>>> I found this:
> >>>>>
> >>>>>
> http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request
> >>>>>
> >>>>> It sounds like jQuery or some part of the CMS is trying to
> ask whether
> >>>>> the
> >>>>> server will accept a header 'x-requested-with'. I'm sure
> that's not
> >>>>> required for OpenLayers, but it's being inserted anyway by
> some part of
> >>>>> your
> >>>>> site code. I don't know if that would cause the disallowed
> origin
> >>>>> error
> >>>>> message you're seeing if the non-standard header isn't
> supported or
> >>>>> not, but
> >>>>> if it is, there must be some way to disable that within the
> >>>>> application, or
> >>>>> this might get kinda complicated to get working.
> >>>>>
> >>>>> Either way, are you sure that the port on your server isn't
> the issue?
> >>>>> From doing a little reading, it seems that since you're using a
> >>>>> non-standard
> >>>>> port, the 'Origin' header your site will be submitting
> should look like
> >>>>> this:
> >>>>>
> >>>>> Origin: http://triggerfish2.nmfs.noaa.gov:9992
> >>>>>
> >>>>> It's possible that that might not match the rules in our
> >>>>> 'Access-Control-Allow-Origin' setting, if it's only a plain
> string
> >>>>> comparison or something that Apache does.
> >>>>>
> >>>>> Micah
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 6/18/2013 2:41 PM, Tim Haverland - NOAA Federal wrote:
> >>>>>
> >>>>> I don't know the inner workings of our content management
> system, so
> >>>>> not
> >>>>> sure what's sending the x-requested-with header; however, I
> read that
> >>>>> this
> >>>>> is pretty common with Ajax requests, especially from jQuery.
> >>>>>
> >>>>>
> >>>>> On Tue, Jun 18, 2013 at 2:22 PM, Micah Wengren
> <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>>
> >>>>> wrote:
> >>>>>>
> >>>>>> Hi open.ogc at list.woc.noaa.gov
> <mailto:open.ogc at list.woc.noaa.gov>,
> >>>>>>
> >>>>>> I'm sending this thread I've been on with Tim back to the
> email list
> >>>>>> to
> >>>>>> see if we can expedite troubleshooting what the issue is
> with a CORS
> >>>>>> request
> >>>>>> from Tim's development server to services.ogc.noaa.gov
> <http://services.ogc.noaa.gov>. He's
> >>>>>> connecting
> >>>>>> from:
> >>>>>>
> >>>>>> http://triggerfish2.nmfs.noaa.gov:9992
> >>>>>>
> >>>>>> and trying to display one of our services on an OpenLayers
> map (and do
> >>>>>> a
> >>>>>> GetFeatureInfo request, which leads to the need for CORS
> support).
> >>>>>>
> >>>>>>
> >>>>>> I don't really have the answer to his question, anyone at
> the WOC know
> >>>>>> about accepting non-standard headers?
> >>>>>>
> >>>>>> Tim, do you know why this header is required from your
> side, and what
> >>>>>> the
> >>>>>> server should be doing with it?
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Micah
> >>>>>>
> >>>>>> On 6/18/2013 2:05 PM, Tim Haverland - NOAA Federal wrote:
> >>>>>>
> >>>>>> Yeah, doesn't look like the port is an issue, however, my
> request is
> >>>>>> sent
> >>>>>> with these headers:
> >>>>>>
> >>>>>> Access-Control-Request-Headers:
> >>>>>> origin, x-requested-with
> >>>>>>
> >>>>>>
> >>>>>> I've read that the server may need to accept "non-standard"
> headers.
> >>>>>> x-requested-with is a non-standard header. Is this accepted
> on the
> >>>>>> server
> >>>>>> side?
> >>>>>>
> >>>>>> Tim
> >>>>>>
> >>>>>>
> >>>>>> On Tue, Jun 18, 2013 at 1:35 PM, Tim Haverland - NOAA Federal
> >>>>>> <tim.haverland at noaa.gov <mailto:tim.haverland at noaa.gov>> wrote:
> >>>>>>>
> >>>>>>> yes, response header says:
> >>>>>>>
> >>>>>>> Access-Control-Allow-Origin:
> >>>>>>> *.noaa.gov <http://noaa.gov>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On Tue, Jun 18, 2013 at 1:32 PM, Micah Wengren - NOAA Federal
> >>>>>>> <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>>
> wrote:
> >>>>>>>>
> >>>>>>>> Hi Tim,
> >>>>>>>>
> >>>>>>>> I don't know what bearing ports have on CORS. Everything
> from
> >>>>>>>> noaa.gov <http://noaa.gov>
> >>>>>>>> should be allowed though. If you examine http headers
> with firebug
> >>>>>>>> or
> >>>>>>>> something you should be able to see the rule Chi added in
> the header
> >>>>>>>> list.
> >>>>>>>> I believe he would have added it for both http and https,
> but I'd
> >>>>>>>> have to
> >>>>>>>> check. Not at my machine right now. It's more important
> for http in
> >>>>>>>> this
> >>>>>>>> case...
> >>>>>>>>
> >>>>>>>> Micah
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Tuesday, June 18, 2013, Tim Haverland - NOAA Federal
> >>>>>>>> <tim.haverland at noaa.gov <mailto:tim.haverland at noaa.gov>>
> wrote:
> >>>>>>>>>
> >>>>>>>>> Micah, is CORS supported on the production version of
> geoserver?
> >>>>>>>>> I'm
> >>>>>>>>> trying to implement my map in our content management
> system, and
> >>>>>>>>> get the
> >>>>>>>>> following error:
> >>>>>>>>> Origin http://triggerfish2.nmfs.noaa.gov:9992 is not
> allowed by
> >>>>>>>>> Access-Control-Allow-Origin.
> >>>>>>>>>
> >>>>>>>>> Maybe it's the port that's throwing things off?
> >>>>>>>>> Tim
> >>>>>>>>>
> >>>>>>>>> On Thu, Jun 13, 2013 at 1:27 PM, Micah Wengren - NOAA
> Federal
> >>>>>>>>> <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>>
> wrote:
> >>>>>>>>>>
> >>>>>>>>>> Hi Tim,
> >>>>>>>>>>
> >>>>>>>>>> We have *.noaa.gov <http://noaa.gov> enabled anyway for
> CORS support now. If you
> >>>>>>>>>> can
> >>>>>>>>>> copy your openlayers page to your dev server and test
> it out and
> >>>>>>>>>> let me know
> >>>>>>>>>> if it works, that would be great. Whenever you get a
> chance, no
> >>>>>>>>>> rush.
> >>>>>>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Tim Haverland
> >>>>> Acting Operations Branch Chief
> >>>>> NOAA Fisheries Office of Science and Technology
> >>>>> 1315 East-West Highway
> >>>>> SSMC3 Rm 12303
> >>>>> Silver Spring, MD 20910
> >>>>> 301-427-8137 <tel:301-427-8137>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>> Tim Haverland
> >>>> Acting Operations Branch Chief
> >>>> NOAA Fisheries Office of Science and Technology
> >>>> 1315 East-West Highway
> >>>> SSMC3 Rm 12303
> >>>> Silver Spring, MD 20910
> >>>> 301-427-8137 <tel:301-427-8137>
> >>>>
> >>>> _______________________________________________
> >>>> Open.ogc mailing list
> >>>> Open.ogc at list.woc.noaa.gov <mailto:Open.ogc at list.woc.noaa.gov>
> >>>> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
> >>>>
> >>>
> >>>
> >>
> >
> >
> >
> > --
> > Tim Haverland
> > Acting Operations Branch Chief
> > NOAA Fisheries Office of Science and Technology
> > 1315 East-West Highway
> > SSMC3 Rm 12303
> > Silver Spring, MD 20910
> > 301-427-8137 <tel:301-427-8137>
> >
> >
>
>
>
> --
> Chi Y Kang
> Principal Engineer
> Phone: 301.628.5642 <tel:301.628.5642>
> Cell: 240.338.1059 <tel:240.338.1059>
>
>
>
>
> --
> *Tim Haverland*
> Acting Operations Branch Chief
> NOAA Fisheries Office of Science and Technology
> 1315 East-West Highway
> SSMC3 Rm 12303
> Silver Spring, MD 20910
> 301-427-8137
>
>
> _______________________________________________
> Open.ogc mailing list
> Open.ogc at list.woc.noaa.gov
> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.woc.noaa.gov/pipermail/open.ogc/attachments/20130621/fe749a23/attachment-0001.html>
More information about the Open.ogc
mailing list