[Open.ogc] CORS Support for services.ogc.noaa.gov
Tim Haverland - NOAA Federal
tim.haverland at noaa.gov
Thu Jun 27 17:30:23 UTC 2013
Now I get:
Request header field X-Requested-With is not allowed by
Access-Control-Allow-Headers.
So it looks like my origin passed but header failed.
On Tue, Jun 25, 2013 at 1:28 PM, Chi Kang - NOAA Federal <
chi.y.kang at noaa.gov> wrote:
> Give it a go.
>
> On Fri, Jun 21, 2013 at 11:48 AM, Micah Wengren <micah.wengren at noaa.gov>
> wrote:
> > Great! Let us know the outcome.....
> >
> > Micah
> >
> >
> > On 6/21/2013 11:35 AM, Tim Haverland - NOAA Federal wrote:
> >
> > Thanks Chi - standing by to test as soon as you can implement this.
> >
> > Tim
> >
> >
> > On Fri, Jun 21, 2013 at 11:25 AM, Chi Kang - NOAA Federal
> > <chi.y.kang at noaa.gov> wrote:
> >>
> >> Yea, i'm reading the same thing here. For the sake of argument /
> >> testing let me try "*" and have Tim validate this.
> >>
> >>
> >> On Thu, Jun 20, 2013 at 8:36 AM, Micah Wengren <micah.wengren at noaa.gov>
> >> wrote:
> >> > I think it may involve a more complicated way to allow by TLD or
> >> > .noaa.gov.
> >> > Like you said yesterday Chi *.noaa.gov might be a valid value for
> that
> >> > header. The server might need to dynamically read the Origin header
> >> > from
> >> > the request and return the same URL if it matches a rule. See:
> >> >
> >> >
> >> >
> http://www.cameronstokes.com/2010/12/26/cross-origin-resource-sharing-and-apache-httpd/
> >> > or
> >> >
> >> >
> http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains
> >> >
> >> > Might be more complicated than we expected to allow a specific domain
> >> > instead of "*".
> >> >
> >> > Micah
> >> >
> >> >
> >> >
> >> > On 6/19/2013 4:25 PM, Tim Haverland - NOAA Federal wrote:
> >> >
> >> > Chi - if services.ogc.noaa.gov does not allow the header
> >> > x-requested-with,
> >> > and openlayers is sending that header, wouldn't that be a likely
> source
> >> > of a
> >> > problem?
> >> >
> >> > I agree that the error message points to an Origin issue, not headers,
> >> > but
> >> > it's possible that the error reported by chrome is not that helpful in
> >> > pinpointing the actual problem.
> >> >
> >> > Regarding the Origin, my request is coming from a noaa.gov server,
> so I
> >> > can't think of any other reason why my request is being rejected on an
> >> > Origin basis. You are accepting *.noaa.gov so I'd think it would be
> >> > accepted.
> >> >
> >> > Tim
> >> >
> >> >
> >> >
> >> > On Wed, Jun 19, 2013 at 3:01 PM, Micah Wengren <
> micah.wengren at noaa.gov>
> >> > wrote:
> >> >>
> >> >> Chi, I think it's the best option we have from a troubleshooting
> >> >> perspective. Other than that, I don't really have an answer myself,
> >> >> this
> >> >> particular topic isn't an area I'm especially familiar with. It
> would
> >> >> be
> >> >> nice to see what is required in order to support this type of
> >> >> communication
> >> >> with services.ogc.noaa.gov from NOAA users who want to deploy simple
> >> >> web
> >> >> pages connecting to the services. Tim's use case is a good model for
> >> >> what
> >> >> other users might want.
> >> >>
> >> >> Any suggestions welcome for what else to test though. It might be
> that
> >> >> we
> >> >> need to tell users that their Access-Control-Request-Headers needs to
> >> >> not
> >> >> contain any custom header names in order for CORS to work (if this
> was
> >> >> indeed the cause for the failure message).
> >> >>
> >> >> Micah
> >> >>
> >> >>
> >> >> On 6/19/2013 2:20 PM, Chi Kang - NOAA Federal wrote:
> >> >>>
> >> >>> Explain to me why you think allowing Access-Control-Request-Headers:
> >> >>> x-requested-with would solve this problem?
> >> >>>
> >> >>>
> >> >>> On Tue, Jun 18, 2013 at 5:33 PM, Tim Haverland - NOAA Federal
> >> >>> <tim.haverland at noaa.gov> wrote:
> >> >>>>
> >> >>>> OK, I was able to publish my page to our test server, and there's
> no
> >> >>>> port
> >> >>>> appended to the origin:
> >> >>>>
> >> >>>> Accept:
> >> >>>> */*
> >> >>>> Accept-Encoding:
> >> >>>> gzip,deflate,sdch
> >> >>>> Accept-Language:
> >> >>>> en-US,en;q=0.8
> >> >>>> Access-Control-Request-Headers:
> >> >>>> origin, x-requested-with
> >> >>>> Access-Control-Request-Method:
> >> >>>> GET
> >> >>>> Cache-Control:
> >> >>>> no-cache
> >> >>>> Connection:
> >> >>>> keep-alive
> >> >>>> Host:
> >> >>>> services.ogc.noaa.gov
> >> >>>> Origin:
> >> >>>> http://www.st-test.nmfs.noaa.gov
> >> >>>> Pragma:
> >> >>>> no-cache
> >> >>>> Referer:
> >> >>>> http://www.st-test.nmfs.noaa.gov/appstech/map-test
> >> >>>> User-Agent:
> >> >>>> Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
> >> >>>> Gecko)
> >> >>>> Chrome/27.0.1453.110 Safari/537.36
> >> >>>>
> >> >>>>
> >> >>>> Still get the error:
> >> >>>>
> >> >>>> Origin http://www.st-test.nmfs.noaa.gov is not allowed by
> >> >>>> Access-Control-Allow-Origin
> >> >>>>
> >> >>>> WOC, can you allow the header x-requested-with to see if that fixes
> >> >>>> the
> >> >>>> problem?
> >> >>>>
> >> >>>> Tim
> >> >>>>
> >> >>>>
> >> >>>> On Tue, Jun 18, 2013 at 4:26 PM, Micah Wengren
> >> >>>> <micah.wengren at noaa.gov>
> >> >>>> wrote:
> >> >>>>>
> >> >>>>> Tim,
> >> >>>>>
> >> >>>>> I found this:
> >> >>>>>
> >> >>>>>
> >> >>>>>
> http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request
> >> >>>>>
> >> >>>>> It sounds like jQuery or some part of the CMS is trying to ask
> >> >>>>> whether
> >> >>>>> the
> >> >>>>> server will accept a header 'x-requested-with'. I'm sure that's
> not
> >> >>>>> required for OpenLayers, but it's being inserted anyway by some
> part
> >> >>>>> of
> >> >>>>> your
> >> >>>>> site code. I don't know if that would cause the disallowed origin
> >> >>>>> error
> >> >>>>> message you're seeing if the non-standard header isn't supported
> or
> >> >>>>> not, but
> >> >>>>> if it is, there must be some way to disable that within the
> >> >>>>> application, or
> >> >>>>> this might get kinda complicated to get working.
> >> >>>>>
> >> >>>>> Either way, are you sure that the port on your server isn't the
> >> >>>>> issue?
> >> >>>>> From doing a little reading, it seems that since you're using a
> >> >>>>> non-standard
> >> >>>>> port, the 'Origin' header your site will be submitting should look
> >> >>>>> like
> >> >>>>> this:
> >> >>>>>
> >> >>>>> Origin: http://triggerfish2.nmfs.noaa.gov:9992
> >> >>>>>
> >> >>>>> It's possible that that might not match the rules in our
> >> >>>>> 'Access-Control-Allow-Origin' setting, if it's only a plain string
> >> >>>>> comparison or something that Apache does.
> >> >>>>>
> >> >>>>> Micah
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> On 6/18/2013 2:41 PM, Tim Haverland - NOAA Federal wrote:
> >> >>>>>
> >> >>>>> I don't know the inner workings of our content management system,
> so
> >> >>>>> not
> >> >>>>> sure what's sending the x-requested-with header; however, I read
> >> >>>>> that
> >> >>>>> this
> >> >>>>> is pretty common with Ajax requests, especially from jQuery.
> >> >>>>>
> >> >>>>>
> >> >>>>> On Tue, Jun 18, 2013 at 2:22 PM, Micah Wengren
> >> >>>>> <micah.wengren at noaa.gov>
> >> >>>>> wrote:
> >> >>>>>>
> >> >>>>>> Hi open.ogc at list.woc.noaa.gov,
> >> >>>>>>
> >> >>>>>> I'm sending this thread I've been on with Tim back to the email
> >> >>>>>> list
> >> >>>>>> to
> >> >>>>>> see if we can expedite troubleshooting what the issue is with a
> >> >>>>>> CORS
> >> >>>>>> request
> >> >>>>>> from Tim's development server to services.ogc.noaa.gov. He's
> >> >>>>>> connecting
> >> >>>>>> from:
> >> >>>>>>
> >> >>>>>> http://triggerfish2.nmfs.noaa.gov:9992
> >> >>>>>>
> >> >>>>>> and trying to display one of our services on an OpenLayers map
> (and
> >> >>>>>> do
> >> >>>>>> a
> >> >>>>>> GetFeatureInfo request, which leads to the need for CORS
> support).
> >> >>>>>>
> >> >>>>>>
> >> >>>>>> I don't really have the answer to his question, anyone at the WOC
> >> >>>>>> know
> >> >>>>>> about accepting non-standard headers?
> >> >>>>>>
> >> >>>>>> Tim, do you know why this header is required from your side, and
> >> >>>>>> what
> >> >>>>>> the
> >> >>>>>> server should be doing with it?
> >> >>>>>>
> >> >>>>>> Thanks,
> >> >>>>>> Micah
> >> >>>>>>
> >> >>>>>> On 6/18/2013 2:05 PM, Tim Haverland - NOAA Federal wrote:
> >> >>>>>>
> >> >>>>>> Yeah, doesn't look like the port is an issue, however, my request
> >> >>>>>> is
> >> >>>>>> sent
> >> >>>>>> with these headers:
> >> >>>>>>
> >> >>>>>> Access-Control-Request-Headers:
> >> >>>>>> origin, x-requested-with
> >> >>>>>>
> >> >>>>>>
> >> >>>>>> I've read that the server may need to accept "non-standard"
> >> >>>>>> headers.
> >> >>>>>> x-requested-with is a non-standard header. Is this accepted on
> the
> >> >>>>>> server
> >> >>>>>> side?
> >> >>>>>>
> >> >>>>>> Tim
> >> >>>>>>
> >> >>>>>>
> >> >>>>>> On Tue, Jun 18, 2013 at 1:35 PM, Tim Haverland - NOAA Federal
> >> >>>>>> <tim.haverland at noaa.gov> wrote:
> >> >>>>>>>
> >> >>>>>>> yes, response header says:
> >> >>>>>>>
> >> >>>>>>> Access-Control-Allow-Origin:
> >> >>>>>>> *.noaa.gov
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>> On Tue, Jun 18, 2013 at 1:32 PM, Micah Wengren - NOAA Federal
> >> >>>>>>> <micah.wengren at noaa.gov> wrote:
> >> >>>>>>>>
> >> >>>>>>>> Hi Tim,
> >> >>>>>>>>
> >> >>>>>>>> I don't know what bearing ports have on CORS. Everything from
> >> >>>>>>>> noaa.gov
> >> >>>>>>>> should be allowed though. If you examine http headers with
> >> >>>>>>>> firebug
> >> >>>>>>>> or
> >> >>>>>>>> something you should be able to see the rule Chi added in the
> >> >>>>>>>> header
> >> >>>>>>>> list.
> >> >>>>>>>> I believe he would have added it for both http and https, but
> I'd
> >> >>>>>>>> have to
> >> >>>>>>>> check. Not at my machine right now. It's more important for
> http
> >> >>>>>>>> in
> >> >>>>>>>> this
> >> >>>>>>>> case...
> >> >>>>>>>>
> >> >>>>>>>> Micah
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>> On Tuesday, June 18, 2013, Tim Haverland - NOAA Federal
> >> >>>>>>>> <tim.haverland at noaa.gov> wrote:
> >> >>>>>>>>>
> >> >>>>>>>>> Micah, is CORS supported on the production version of
> geoserver?
> >> >>>>>>>>> I'm
> >> >>>>>>>>> trying to implement my map in our content management system,
> and
> >> >>>>>>>>> get the
> >> >>>>>>>>> following error:
> >> >>>>>>>>> Origin http://triggerfish2.nmfs.noaa.gov:9992 is not allowed
> by
> >> >>>>>>>>> Access-Control-Allow-Origin.
> >> >>>>>>>>>
> >> >>>>>>>>> Maybe it's the port that's throwing things off?
> >> >>>>>>>>> Tim
> >> >>>>>>>>>
> >> >>>>>>>>> On Thu, Jun 13, 2013 at 1:27 PM, Micah Wengren - NOAA Federal
> >> >>>>>>>>> <micah.wengren at noaa.gov> wrote:
> >> >>>>>>>>>>
> >> >>>>>>>>>> Hi Tim,
> >> >>>>>>>>>>
> >> >>>>>>>>>> We have *.noaa.gov enabled anyway for CORS support now. If
> you
> >> >>>>>>>>>> can
> >> >>>>>>>>>> copy your openlayers page to your dev server and test it out
> >> >>>>>>>>>> and
> >> >>>>>>>>>> let me know
> >> >>>>>>>>>> if it works, that would be great. Whenever you get a chance,
> no
> >> >>>>>>>>>> rush.
> >> >>>>>>>>>>
> >> >>>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>> --
> >> >>>>> Tim Haverland
> >> >>>>> Acting Operations Branch Chief
> >> >>>>> NOAA Fisheries Office of Science and Technology
> >> >>>>> 1315 East-West Highway
> >> >>>>> SSMC3 Rm 12303
> >> >>>>> Silver Spring, MD 20910
> >> >>>>> 301-427-8137
> >> >>>>>
> >> >>>>>
> >> >>>>
> >> >>>>
> >> >>>> --
> >> >>>> Tim Haverland
> >> >>>> Acting Operations Branch Chief
> >> >>>> NOAA Fisheries Office of Science and Technology
> >> >>>> 1315 East-West Highway
> >> >>>> SSMC3 Rm 12303
> >> >>>> Silver Spring, MD 20910
> >> >>>> 301-427-8137
> >> >>>>
> >> >>>> _______________________________________________
> >> >>>> Open.ogc mailing list
> >> >>>> Open.ogc at list.woc.noaa.gov
> >> >>>> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
> >> >>>>
> >> >>>
> >> >>>
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > Tim Haverland
> >> > Acting Operations Branch Chief
> >> > NOAA Fisheries Office of Science and Technology
> >> > 1315 East-West Highway
> >> > SSMC3 Rm 12303
> >> > Silver Spring, MD 20910
> >> > 301-427-8137
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Chi Y Kang
> >> Principal Engineer
> >> Phone: 301.628.5642
> >> Cell: 240.338.1059
> >
> >
> >
> >
> > --
> > Tim Haverland
> > Acting Operations Branch Chief
> > NOAA Fisheries Office of Science and Technology
> > 1315 East-West Highway
> > SSMC3 Rm 12303
> > Silver Spring, MD 20910
> > 301-427-8137
> >
> >
> > _______________________________________________
> > Open.ogc mailing list
> > Open.ogc at list.woc.noaa.gov
> > https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
> >
> >
> >
> > _______________________________________________
> > Open.ogc mailing list
> > Open.ogc at list.woc.noaa.gov
> > https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
> >
>
>
>
> --
> Chi Y Kang
> Principal Engineer
> Phone: 301.628.5642
> Cell: 240.338.1059
> _______________________________________________
> Open.ogc mailing list
> Open.ogc at list.woc.noaa.gov
> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>
--
*Tim Haverland*
Acting Operations Branch Chief
NOAA Fisheries Office of Science and Technology
1315 East-West Highway
SSMC3 Rm 12303
Silver Spring, MD 20910
301-427-8137
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.woc.noaa.gov/pipermail/open.ogc/attachments/20130627/7f0450fb/attachment-0001.html>
More information about the Open.ogc
mailing list