[Open.ogc] CORS Support for services.ogc.noaa.gov
Chi Kang - NOAA Federal
chi.y.kang at noaa.gov
Tue Jun 25 17:28:50 UTC 2013
Give it a go.
On Fri, Jun 21, 2013 at 11:48 AM, Micah Wengren <micah.wengren at noaa.gov> wrote:
> Great! Let us know the outcome.....
>
> Micah
>
>
> On 6/21/2013 11:35 AM, Tim Haverland - NOAA Federal wrote:
>
> Thanks Chi - standing by to test as soon as you can implement this.
>
> Tim
>
>
> On Fri, Jun 21, 2013 at 11:25 AM, Chi Kang - NOAA Federal
> <chi.y.kang at noaa.gov> wrote:
>>
>> Yea, i'm reading the same thing here. For the sake of argument /
>> testing let me try "*" and have Tim validate this.
>>
>>
>> On Thu, Jun 20, 2013 at 8:36 AM, Micah Wengren <micah.wengren at noaa.gov>
>> wrote:
>> > I think it may involve a more complicated way to allow by TLD or
>> > .noaa.gov.
>> > Like you said yesterday Chi *.noaa.gov might be a valid value for that
>> > header. The server might need to dynamically read the Origin header
>> > from
>> > the request and return the same URL if it matches a rule. See:
>> >
>> >
>> > http://www.cameronstokes.com/2010/12/26/cross-origin-resource-sharing-and-apache-httpd/
>> > or
>> >
>> > http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains
>> >
>> > Might be more complicated than we expected to allow a specific domain
>> > instead of "*".
>> >
>> > Micah
>> >
>> >
>> >
>> > On 6/19/2013 4:25 PM, Tim Haverland - NOAA Federal wrote:
>> >
>> > Chi - if services.ogc.noaa.gov does not allow the header
>> > x-requested-with,
>> > and openlayers is sending that header, wouldn't that be a likely source
>> > of a
>> > problem?
>> >
>> > I agree that the error message points to an Origin issue, not headers,
>> > but
>> > it's possible that the error reported by chrome is not that helpful in
>> > pinpointing the actual problem.
>> >
>> > Regarding the Origin, my request is coming from a noaa.gov server, so I
>> > can't think of any other reason why my request is being rejected on an
>> > Origin basis. You are accepting *.noaa.gov so I'd think it would be
>> > accepted.
>> >
>> > Tim
>> >
>> >
>> >
>> > On Wed, Jun 19, 2013 at 3:01 PM, Micah Wengren <micah.wengren at noaa.gov>
>> > wrote:
>> >>
>> >> Chi, I think it's the best option we have from a troubleshooting
>> >> perspective. Other than that, I don't really have an answer myself,
>> >> this
>> >> particular topic isn't an area I'm especially familiar with. It would
>> >> be
>> >> nice to see what is required in order to support this type of
>> >> communication
>> >> with services.ogc.noaa.gov from NOAA users who want to deploy simple
>> >> web
>> >> pages connecting to the services. Tim's use case is a good model for
>> >> what
>> >> other users might want.
>> >>
>> >> Any suggestions welcome for what else to test though. It might be that
>> >> we
>> >> need to tell users that their Access-Control-Request-Headers needs to
>> >> not
>> >> contain any custom header names in order for CORS to work (if this was
>> >> indeed the cause for the failure message).
>> >>
>> >> Micah
>> >>
>> >>
>> >> On 6/19/2013 2:20 PM, Chi Kang - NOAA Federal wrote:
>> >>>
>> >>> Explain to me why you think allowing Access-Control-Request-Headers:
>> >>> x-requested-with would solve this problem?
>> >>>
>> >>>
>> >>> On Tue, Jun 18, 2013 at 5:33 PM, Tim Haverland - NOAA Federal
>> >>> <tim.haverland at noaa.gov> wrote:
>> >>>>
>> >>>> OK, I was able to publish my page to our test server, and there's no
>> >>>> port
>> >>>> appended to the origin:
>> >>>>
>> >>>> Accept:
>> >>>> */*
>> >>>> Accept-Encoding:
>> >>>> gzip,deflate,sdch
>> >>>> Accept-Language:
>> >>>> en-US,en;q=0.8
>> >>>> Access-Control-Request-Headers:
>> >>>> origin, x-requested-with
>> >>>> Access-Control-Request-Method:
>> >>>> GET
>> >>>> Cache-Control:
>> >>>> no-cache
>> >>>> Connection:
>> >>>> keep-alive
>> >>>> Host:
>> >>>> services.ogc.noaa.gov
>> >>>> Origin:
>> >>>> http://www.st-test.nmfs.noaa.gov
>> >>>> Pragma:
>> >>>> no-cache
>> >>>> Referer:
>> >>>> http://www.st-test.nmfs.noaa.gov/appstech/map-test
>> >>>> User-Agent:
>> >>>> Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
>> >>>> Gecko)
>> >>>> Chrome/27.0.1453.110 Safari/537.36
>> >>>>
>> >>>>
>> >>>> Still get the error:
>> >>>>
>> >>>> Origin http://www.st-test.nmfs.noaa.gov is not allowed by
>> >>>> Access-Control-Allow-Origin
>> >>>>
>> >>>> WOC, can you allow the header x-requested-with to see if that fixes
>> >>>> the
>> >>>> problem?
>> >>>>
>> >>>> Tim
>> >>>>
>> >>>>
>> >>>> On Tue, Jun 18, 2013 at 4:26 PM, Micah Wengren
>> >>>> <micah.wengren at noaa.gov>
>> >>>> wrote:
>> >>>>>
>> >>>>> Tim,
>> >>>>>
>> >>>>> I found this:
>> >>>>>
>> >>>>>
>> >>>>> http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request
>> >>>>>
>> >>>>> It sounds like jQuery or some part of the CMS is trying to ask
>> >>>>> whether
>> >>>>> the
>> >>>>> server will accept a header 'x-requested-with'. I'm sure that's not
>> >>>>> required for OpenLayers, but it's being inserted anyway by some part
>> >>>>> of
>> >>>>> your
>> >>>>> site code. I don't know if that would cause the disallowed origin
>> >>>>> error
>> >>>>> message you're seeing if the non-standard header isn't supported or
>> >>>>> not, but
>> >>>>> if it is, there must be some way to disable that within the
>> >>>>> application, or
>> >>>>> this might get kinda complicated to get working.
>> >>>>>
>> >>>>> Either way, are you sure that the port on your server isn't the
>> >>>>> issue?
>> >>>>> From doing a little reading, it seems that since you're using a
>> >>>>> non-standard
>> >>>>> port, the 'Origin' header your site will be submitting should look
>> >>>>> like
>> >>>>> this:
>> >>>>>
>> >>>>> Origin: http://triggerfish2.nmfs.noaa.gov:9992
>> >>>>>
>> >>>>> It's possible that that might not match the rules in our
>> >>>>> 'Access-Control-Allow-Origin' setting, if it's only a plain string
>> >>>>> comparison or something that Apache does.
>> >>>>>
>> >>>>> Micah
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On 6/18/2013 2:41 PM, Tim Haverland - NOAA Federal wrote:
>> >>>>>
>> >>>>> I don't know the inner workings of our content management system, so
>> >>>>> not
>> >>>>> sure what's sending the x-requested-with header; however, I read
>> >>>>> that
>> >>>>> this
>> >>>>> is pretty common with Ajax requests, especially from jQuery.
>> >>>>>
>> >>>>>
>> >>>>> On Tue, Jun 18, 2013 at 2:22 PM, Micah Wengren
>> >>>>> <micah.wengren at noaa.gov>
>> >>>>> wrote:
>> >>>>>>
>> >>>>>> Hi open.ogc at list.woc.noaa.gov,
>> >>>>>>
>> >>>>>> I'm sending this thread I've been on with Tim back to the email
>> >>>>>> list
>> >>>>>> to
>> >>>>>> see if we can expedite troubleshooting what the issue is with a
>> >>>>>> CORS
>> >>>>>> request
>> >>>>>> from Tim's development server to services.ogc.noaa.gov. He's
>> >>>>>> connecting
>> >>>>>> from:
>> >>>>>>
>> >>>>>> http://triggerfish2.nmfs.noaa.gov:9992
>> >>>>>>
>> >>>>>> and trying to display one of our services on an OpenLayers map (and
>> >>>>>> do
>> >>>>>> a
>> >>>>>> GetFeatureInfo request, which leads to the need for CORS support).
>> >>>>>>
>> >>>>>>
>> >>>>>> I don't really have the answer to his question, anyone at the WOC
>> >>>>>> know
>> >>>>>> about accepting non-standard headers?
>> >>>>>>
>> >>>>>> Tim, do you know why this header is required from your side, and
>> >>>>>> what
>> >>>>>> the
>> >>>>>> server should be doing with it?
>> >>>>>>
>> >>>>>> Thanks,
>> >>>>>> Micah
>> >>>>>>
>> >>>>>> On 6/18/2013 2:05 PM, Tim Haverland - NOAA Federal wrote:
>> >>>>>>
>> >>>>>> Yeah, doesn't look like the port is an issue, however, my request
>> >>>>>> is
>> >>>>>> sent
>> >>>>>> with these headers:
>> >>>>>>
>> >>>>>> Access-Control-Request-Headers:
>> >>>>>> origin, x-requested-with
>> >>>>>>
>> >>>>>>
>> >>>>>> I've read that the server may need to accept "non-standard"
>> >>>>>> headers.
>> >>>>>> x-requested-with is a non-standard header. Is this accepted on the
>> >>>>>> server
>> >>>>>> side?
>> >>>>>>
>> >>>>>> Tim
>> >>>>>>
>> >>>>>>
>> >>>>>> On Tue, Jun 18, 2013 at 1:35 PM, Tim Haverland - NOAA Federal
>> >>>>>> <tim.haverland at noaa.gov> wrote:
>> >>>>>>>
>> >>>>>>> yes, response header says:
>> >>>>>>>
>> >>>>>>> Access-Control-Allow-Origin:
>> >>>>>>> *.noaa.gov
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> On Tue, Jun 18, 2013 at 1:32 PM, Micah Wengren - NOAA Federal
>> >>>>>>> <micah.wengren at noaa.gov> wrote:
>> >>>>>>>>
>> >>>>>>>> Hi Tim,
>> >>>>>>>>
>> >>>>>>>> I don't know what bearing ports have on CORS. Everything from
>> >>>>>>>> noaa.gov
>> >>>>>>>> should be allowed though. If you examine http headers with
>> >>>>>>>> firebug
>> >>>>>>>> or
>> >>>>>>>> something you should be able to see the rule Chi added in the
>> >>>>>>>> header
>> >>>>>>>> list.
>> >>>>>>>> I believe he would have added it for both http and https, but I'd
>> >>>>>>>> have to
>> >>>>>>>> check. Not at my machine right now. It's more important for http
>> >>>>>>>> in
>> >>>>>>>> this
>> >>>>>>>> case...
>> >>>>>>>>
>> >>>>>>>> Micah
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> On Tuesday, June 18, 2013, Tim Haverland - NOAA Federal
>> >>>>>>>> <tim.haverland at noaa.gov> wrote:
>> >>>>>>>>>
>> >>>>>>>>> Micah, is CORS supported on the production version of geoserver?
>> >>>>>>>>> I'm
>> >>>>>>>>> trying to implement my map in our content management system, and
>> >>>>>>>>> get the
>> >>>>>>>>> following error:
>> >>>>>>>>> Origin http://triggerfish2.nmfs.noaa.gov:9992 is not allowed by
>> >>>>>>>>> Access-Control-Allow-Origin.
>> >>>>>>>>>
>> >>>>>>>>> Maybe it's the port that's throwing things off?
>> >>>>>>>>> Tim
>> >>>>>>>>>
>> >>>>>>>>> On Thu, Jun 13, 2013 at 1:27 PM, Micah Wengren - NOAA Federal
>> >>>>>>>>> <micah.wengren at noaa.gov> wrote:
>> >>>>>>>>>>
>> >>>>>>>>>> Hi Tim,
>> >>>>>>>>>>
>> >>>>>>>>>> We have *.noaa.gov enabled anyway for CORS support now. If you
>> >>>>>>>>>> can
>> >>>>>>>>>> copy your openlayers page to your dev server and test it out
>> >>>>>>>>>> and
>> >>>>>>>>>> let me know
>> >>>>>>>>>> if it works, that would be great. Whenever you get a chance, no
>> >>>>>>>>>> rush.
>> >>>>>>>>>>
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> Tim Haverland
>> >>>>> Acting Operations Branch Chief
>> >>>>> NOAA Fisheries Office of Science and Technology
>> >>>>> 1315 East-West Highway
>> >>>>> SSMC3 Rm 12303
>> >>>>> Silver Spring, MD 20910
>> >>>>> 301-427-8137
>> >>>>>
>> >>>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Tim Haverland
>> >>>> Acting Operations Branch Chief
>> >>>> NOAA Fisheries Office of Science and Technology
>> >>>> 1315 East-West Highway
>> >>>> SSMC3 Rm 12303
>> >>>> Silver Spring, MD 20910
>> >>>> 301-427-8137
>> >>>>
>> >>>> _______________________________________________
>> >>>> Open.ogc mailing list
>> >>>> Open.ogc at list.woc.noaa.gov
>> >>>> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>> >>>>
>> >>>
>> >>>
>> >>
>> >
>> >
>> >
>> > --
>> > Tim Haverland
>> > Acting Operations Branch Chief
>> > NOAA Fisheries Office of Science and Technology
>> > 1315 East-West Highway
>> > SSMC3 Rm 12303
>> > Silver Spring, MD 20910
>> > 301-427-8137
>> >
>> >
>>
>>
>>
>> --
>> Chi Y Kang
>> Principal Engineer
>> Phone: 301.628.5642
>> Cell: 240.338.1059
>
>
>
>
> --
> Tim Haverland
> Acting Operations Branch Chief
> NOAA Fisheries Office of Science and Technology
> 1315 East-West Highway
> SSMC3 Rm 12303
> Silver Spring, MD 20910
> 301-427-8137
>
>
> _______________________________________________
> Open.ogc mailing list
> Open.ogc at list.woc.noaa.gov
> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>
>
>
> _______________________________________________
> Open.ogc mailing list
> Open.ogc at list.woc.noaa.gov
> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>
--
Chi Y Kang
Principal Engineer
Phone: 301.628.5642
Cell: 240.338.1059
More information about the Open.ogc
mailing list