[Open.ogc] CORS Support for services.ogc.noaa.gov

Chi Kang - NOAA Federal chi.y.kang at noaa.gov
Thu Jun 27 17:32:00 UTC 2013 

Give it a try now.

$ lwp-request  -UsSe -d "http://services.ogc.noaa.gov/geoserver/index.html"
GET http://services.ogc.noaa.gov/geoserver/index.html
User-Agent: lwp-request/5.810

GET http://services.ogc.noaa.gov/geoserver/index.html --> 200 OK
Connection: close
Date: Thu, 27 Jun 2013 17:31:45 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 657
Content-Type: text/html;charset=UTF-8
Content-Type: text/html; charset=ISO-8859-1
Last-Modified: Thu, 05 Jul 2012 04:25:38 GMT
Access-Control-Allow-Headers: origin, x-requested-with
Access-Control-Allow-Origin: *
Client-Date: Thu, 27 Jun 2013 17:31:45 GMT
Client-Peer: 140.172.17.218:80
Client-Response-Num: 1

On Thu, Jun 27, 2013 at 1:30 PM, Tim Haverland - NOAA Federal
<tim.haverland at noaa.gov> wrote:
> Now I get:
>
> Request header field X-Requested-With is not allowed by
> Access-Control-Allow-Headers.
>
> So it looks like my origin passed but header failed.
>
>
> On Tue, Jun 25, 2013 at 1:28 PM, Chi Kang - NOAA Federal
> <chi.y.kang at noaa.gov> wrote:
>>
>> Give it a go.
>>
>> On Fri, Jun 21, 2013 at 11:48 AM, Micah Wengren <micah.wengren at noaa.gov>
>> wrote:
>> > Great!  Let us know the outcome.....
>> >
>> > Micah
>> >
>> >
>> > On 6/21/2013 11:35 AM, Tim Haverland - NOAA Federal wrote:
>> >
>> > Thanks Chi - standing by to test as soon as you can implement this.
>> >
>> > Tim
>> >
>> >
>> > On Fri, Jun 21, 2013 at 11:25 AM, Chi Kang - NOAA Federal
>> > <chi.y.kang at noaa.gov> wrote:
>> >>
>> >> Yea, i'm reading the same thing here. For the sake of argument /
>> >> testing let me try "*" and have Tim validate this.
>> >>
>> >>
>> >> On Thu, Jun 20, 2013 at 8:36 AM, Micah Wengren <micah.wengren at noaa.gov>
>> >> wrote:
>> >> > I think it may involve a more complicated way to allow by TLD or
>> >> > .noaa.gov.
>> >> > Like you said yesterday Chi *.noaa.gov might be a valid value for
>> >> > that
>> >> > header.  The server might need to dynamically read the Origin header
>> >> > from
>> >> > the request and return the same URL if it matches a rule.  See:
>> >> >
>> >> >
>> >> >
>> >> > http://www.cameronstokes.com/2010/12/26/cross-origin-resource-sharing-and-apache-httpd/
>> >> > or
>> >> >
>> >> >
>> >> > http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains
>> >> >
>> >> > Might be more complicated than we expected to allow a specific domain
>> >> > instead of "*".
>> >> >
>> >> > Micah
>> >> >
>> >> >
>> >> >
>> >> > On 6/19/2013 4:25 PM, Tim Haverland - NOAA Federal wrote:
>> >> >
>> >> > Chi - if services.ogc.noaa.gov does not allow the header
>> >> > x-requested-with,
>> >> > and openlayers is sending that header, wouldn't that be a likely
>> >> > source
>> >> > of a
>> >> > problem?
>> >> >
>> >> > I agree that the error message points to an Origin issue, not
>> >> > headers,
>> >> > but
>> >> > it's possible that the error reported by chrome is not that helpful
>> >> > in
>> >> > pinpointing the actual problem.
>> >> >
>> >> > Regarding the Origin, my request is coming from a noaa.gov server, so
>> >> > I
>> >> > can't think of any other reason why my request is being rejected on
>> >> > an
>> >> > Origin basis. You are accepting *.noaa.gov so I'd think it would be
>> >> > accepted.
>> >> >
>> >> > Tim
>> >> >
>> >> >
>> >> >
>> >> > On Wed, Jun 19, 2013 at 3:01 PM, Micah Wengren
>> >> > <micah.wengren at noaa.gov>
>> >> > wrote:
>> >> >>
>> >> >> Chi,  I think it's the best option we have from a troubleshooting
>> >> >> perspective.  Other than that, I don't really have an answer myself,
>> >> >> this
>> >> >> particular topic isn't an area I'm especially familiar with.  It
>> >> >> would
>> >> >> be
>> >> >> nice to see what is required in order to support this type of
>> >> >> communication
>> >> >> with services.ogc.noaa.gov from NOAA users who want to deploy simple
>> >> >> web
>> >> >> pages connecting to the services.  Tim's use case is a good model
>> >> >> for
>> >> >> what
>> >> >> other users might want.
>> >> >>
>> >> >> Any suggestions welcome for what else to test though.  It might be
>> >> >> that
>> >> >> we
>> >> >> need to tell users that their Access-Control-Request-Headers needs
>> >> >> to
>> >> >> not
>> >> >> contain any custom header names in order for CORS to work (if this
>> >> >> was
>> >> >> indeed the cause for the failure message).
>> >> >>
>> >> >> Micah
>> >> >>
>> >> >>
>> >> >> On 6/19/2013 2:20 PM, Chi Kang - NOAA Federal wrote:
>> >> >>>
>> >> >>> Explain to me why you think allowing
>> >> >>> Access-Control-Request-Headers:
>> >> >>> x-requested-with would solve this problem?
>> >> >>>
>> >> >>>
>> >> >>> On Tue, Jun 18, 2013 at 5:33 PM, Tim Haverland - NOAA Federal
>> >> >>> <tim.haverland at noaa.gov> wrote:
>> >> >>>>
>> >> >>>> OK, I was able to publish my page to our test server, and there's
>> >> >>>> no
>> >> >>>> port
>> >> >>>> appended to the origin:
>> >> >>>>
>> >> >>>> Accept:
>> >> >>>> */*
>> >> >>>> Accept-Encoding:
>> >> >>>> gzip,deflate,sdch
>> >> >>>> Accept-Language:
>> >> >>>> en-US,en;q=0.8
>> >> >>>> Access-Control-Request-Headers:
>> >> >>>> origin, x-requested-with
>> >> >>>> Access-Control-Request-Method:
>> >> >>>> GET
>> >> >>>> Cache-Control:
>> >> >>>> no-cache
>> >> >>>> Connection:
>> >> >>>> keep-alive
>> >> >>>> Host:
>> >> >>>> services.ogc.noaa.gov
>> >> >>>> Origin:
>> >> >>>> http://www.st-test.nmfs.noaa.gov
>> >> >>>> Pragma:
>> >> >>>> no-cache
>> >> >>>> Referer:
>> >> >>>> http://www.st-test.nmfs.noaa.gov/appstech/map-test
>> >> >>>> User-Agent:
>> >> >>>> Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
>> >> >>>> like
>> >> >>>> Gecko)
>> >> >>>> Chrome/27.0.1453.110 Safari/537.36
>> >> >>>>
>> >> >>>>
>> >> >>>> Still get the error:
>> >> >>>>
>> >> >>>> Origin http://www.st-test.nmfs.noaa.gov is not allowed by
>> >> >>>> Access-Control-Allow-Origin
>> >> >>>>
>> >> >>>> WOC, can you allow the header x-requested-with to see if that
>> >> >>>> fixes
>> >> >>>> the
>> >> >>>> problem?
>> >> >>>>
>> >> >>>> Tim
>> >> >>>>
>> >> >>>>
>> >> >>>> On Tue, Jun 18, 2013 at 4:26 PM, Micah Wengren
>> >> >>>> <micah.wengren at noaa.gov>
>> >> >>>> wrote:
>> >> >>>>>
>> >> >>>>> Tim,
>> >> >>>>>
>> >> >>>>> I found this:
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request
>> >> >>>>>
>> >> >>>>> It sounds like jQuery or some part of the CMS is trying to ask
>> >> >>>>> whether
>> >> >>>>> the
>> >> >>>>> server will accept a header 'x-requested-with'.  I'm sure that's
>> >> >>>>> not
>> >> >>>>> required for OpenLayers, but it's being inserted anyway by some
>> >> >>>>> part
>> >> >>>>> of
>> >> >>>>> your
>> >> >>>>> site code.  I don't know if that would cause the disallowed
>> >> >>>>> origin
>> >> >>>>> error
>> >> >>>>> message you're seeing if the non-standard header isn't supported
>> >> >>>>> or
>> >> >>>>> not, but
>> >> >>>>> if it is, there must be some way to disable that within the
>> >> >>>>> application, or
>> >> >>>>> this might get kinda complicated to get working.
>> >> >>>>>
>> >> >>>>> Either way, are you sure that the port on your server isn't the
>> >> >>>>> issue?
>> >> >>>>>  From doing a little reading, it seems that since you're using a
>> >> >>>>> non-standard
>> >> >>>>> port, the 'Origin' header your site will be submitting should
>> >> >>>>> look
>> >> >>>>> like
>> >> >>>>> this:
>> >> >>>>>
>> >> >>>>> Origin: http://triggerfish2.nmfs.noaa.gov:9992
>> >> >>>>>
>> >> >>>>> It's possible that that might not match the rules in our
>> >> >>>>> 'Access-Control-Allow-Origin' setting, if it's only a plain
>> >> >>>>> string
>> >> >>>>> comparison or something that Apache does.
>> >> >>>>>
>> >> >>>>> Micah
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> On 6/18/2013 2:41 PM, Tim Haverland - NOAA Federal wrote:
>> >> >>>>>
>> >> >>>>> I don't know the inner workings of our content management system,
>> >> >>>>> so
>> >> >>>>> not
>> >> >>>>> sure what's sending the x-requested-with header; however, I read
>> >> >>>>> that
>> >> >>>>> this
>> >> >>>>> is pretty common with Ajax requests, especially from jQuery.
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> On Tue, Jun 18, 2013 at 2:22 PM, Micah Wengren
>> >> >>>>> <micah.wengren at noaa.gov>
>> >> >>>>> wrote:
>> >> >>>>>>
>> >> >>>>>> Hi open.ogc at list.woc.noaa.gov,
>> >> >>>>>>
>> >> >>>>>> I'm sending this thread I've been on with Tim back to the email
>> >> >>>>>> list
>> >> >>>>>> to
>> >> >>>>>> see if we can expedite troubleshooting what the issue is with a
>> >> >>>>>> CORS
>> >> >>>>>> request
>> >> >>>>>> from Tim's development server to services.ogc.noaa.gov. He's
>> >> >>>>>> connecting
>> >> >>>>>> from:
>> >> >>>>>>
>> >> >>>>>> http://triggerfish2.nmfs.noaa.gov:9992
>> >> >>>>>>
>> >> >>>>>> and trying to display one of our services on an OpenLayers map
>> >> >>>>>> (and
>> >> >>>>>> do
>> >> >>>>>> a
>> >> >>>>>> GetFeatureInfo request, which leads to the need  for CORS
>> >> >>>>>> support).
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>> I don't really have the answer to his question, anyone at the
>> >> >>>>>> WOC
>> >> >>>>>> know
>> >> >>>>>> about accepting non-standard headers?
>> >> >>>>>>
>> >> >>>>>> Tim, do you know why this header is required from your side, and
>> >> >>>>>> what
>> >> >>>>>> the
>> >> >>>>>> server should be doing with it?
>> >> >>>>>>
>> >> >>>>>> Thanks,
>> >> >>>>>> Micah
>> >> >>>>>>
>> >> >>>>>> On 6/18/2013 2:05 PM, Tim Haverland - NOAA Federal wrote:
>> >> >>>>>>
>> >> >>>>>> Yeah, doesn't look like the port is an issue, however, my
>> >> >>>>>> request
>> >> >>>>>> is
>> >> >>>>>> sent
>> >> >>>>>> with these headers:
>> >> >>>>>>
>> >> >>>>>> Access-Control-Request-Headers:
>> >> >>>>>> origin, x-requested-with
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>> I've read that the server may need to accept "non-standard"
>> >> >>>>>> headers.
>> >> >>>>>> x-requested-with is a non-standard header. Is this accepted on
>> >> >>>>>> the
>> >> >>>>>> server
>> >> >>>>>> side?
>> >> >>>>>>
>> >> >>>>>> Tim
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>>> On Tue, Jun 18, 2013 at 1:35 PM, Tim Haverland - NOAA Federal
>> >> >>>>>> <tim.haverland at noaa.gov> wrote:
>> >> >>>>>>>
>> >> >>>>>>> yes, response header says:
>> >> >>>>>>>
>> >> >>>>>>> Access-Control-Allow-Origin:
>> >> >>>>>>> *.noaa.gov
>> >> >>>>>>>
>> >> >>>>>>>
>> >> >>>>>>>
>> >> >>>>>>> On Tue, Jun 18, 2013 at 1:32 PM, Micah Wengren - NOAA Federal
>> >> >>>>>>> <micah.wengren at noaa.gov> wrote:
>> >> >>>>>>>>
>> >> >>>>>>>> Hi Tim,
>> >> >>>>>>>>
>> >> >>>>>>>> I don't know what bearing ports have on CORS.  Everything from
>> >> >>>>>>>> noaa.gov
>> >> >>>>>>>> should be allowed though.  If you examine http headers with
>> >> >>>>>>>> firebug
>> >> >>>>>>>> or
>> >> >>>>>>>> something you should be able to see the rule Chi added in the
>> >> >>>>>>>> header
>> >> >>>>>>>> list.
>> >> >>>>>>>> I believe he would have added it for both http and https, but
>> >> >>>>>>>> I'd
>> >> >>>>>>>> have to
>> >> >>>>>>>> check. Not at my machine right now. It's more important for
>> >> >>>>>>>> http
>> >> >>>>>>>> in
>> >> >>>>>>>> this
>> >> >>>>>>>> case...
>> >> >>>>>>>>
>> >> >>>>>>>> Micah
>> >> >>>>>>>>
>> >> >>>>>>>>
>> >> >>>>>>>>
>> >> >>>>>>>> On Tuesday, June 18, 2013, Tim Haverland - NOAA Federal
>> >> >>>>>>>> <tim.haverland at noaa.gov> wrote:
>> >> >>>>>>>>>
>> >> >>>>>>>>> Micah, is CORS supported on the production version of
>> >> >>>>>>>>> geoserver?
>> >> >>>>>>>>> I'm
>> >> >>>>>>>>> trying to implement my map in our content management system,
>> >> >>>>>>>>> and
>> >> >>>>>>>>> get the
>> >> >>>>>>>>> following error:
>> >> >>>>>>>>> Origin http://triggerfish2.nmfs.noaa.gov:9992 is not allowed
>> >> >>>>>>>>> by
>> >> >>>>>>>>> Access-Control-Allow-Origin.
>> >> >>>>>>>>>
>> >> >>>>>>>>> Maybe it's the port that's throwing things off?
>> >> >>>>>>>>> Tim
>> >> >>>>>>>>>
>> >> >>>>>>>>> On Thu, Jun 13, 2013 at 1:27 PM, Micah Wengren - NOAA Federal
>> >> >>>>>>>>> <micah.wengren at noaa.gov> wrote:
>> >> >>>>>>>>>>
>> >> >>>>>>>>>> Hi Tim,
>> >> >>>>>>>>>>
>> >> >>>>>>>>>> We have *.noaa.gov enabled anyway for CORS support now.  If
>> >> >>>>>>>>>> you
>> >> >>>>>>>>>> can
>> >> >>>>>>>>>> copy your openlayers page to your dev server and test it out
>> >> >>>>>>>>>> and
>> >> >>>>>>>>>> let me know
>> >> >>>>>>>>>> if it works, that would be great. Whenever you get a chance,
>> >> >>>>>>>>>> no
>> >> >>>>>>>>>> rush.
>> >> >>>>>>>>>>
>> >> >>>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> --
>> >> >>>>> Tim Haverland
>> >> >>>>> Acting Operations Branch Chief
>> >> >>>>> NOAA Fisheries Office of Science and Technology
>> >> >>>>> 1315 East-West Highway
>> >> >>>>> SSMC3 Rm 12303
>> >> >>>>> Silver Spring, MD 20910
>> >> >>>>> 301-427-8137
>> >> >>>>>
>> >> >>>>>
>> >> >>>>
>> >> >>>>
>> >> >>>> --
>> >> >>>> Tim Haverland
>> >> >>>> Acting Operations Branch Chief
>> >> >>>> NOAA Fisheries Office of Science and Technology
>> >> >>>> 1315 East-West Highway
>> >> >>>> SSMC3 Rm 12303
>> >> >>>> Silver Spring, MD 20910
>> >> >>>> 301-427-8137
>> >> >>>>
>> >> >>>> _______________________________________________
>> >> >>>> Open.ogc mailing list
>> >> >>>> Open.ogc at list.woc.noaa.gov
>> >> >>>> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>> >> >>>>
>> >> >>>
>> >> >>>
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Tim Haverland
>> >> > Acting Operations Branch Chief
>> >> > NOAA Fisheries Office of Science and Technology
>> >> > 1315 East-West Highway
>> >> > SSMC3 Rm 12303
>> >> > Silver Spring, MD 20910
>> >> > 301-427-8137
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Chi Y Kang
>> >> Principal Engineer
>> >> Phone: 301.628.5642
>> >> Cell: 240.338.1059
>> >
>> >
>> >
>> >
>> > --
>> > Tim Haverland
>> > Acting Operations Branch Chief
>> > NOAA Fisheries Office of Science and Technology
>> > 1315 East-West Highway
>> > SSMC3 Rm 12303
>> > Silver Spring, MD 20910
>> > 301-427-8137
>> >
>> >
>> > _______________________________________________
>> > Open.ogc mailing list
>> > Open.ogc at list.woc.noaa.gov
>> > https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>> >
>> >
>> >
>> > _______________________________________________
>> > Open.ogc mailing list
>> > Open.ogc at list.woc.noaa.gov
>> > https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>> >
>>
>>
>>
>> --
>> Chi Y Kang
>> Principal Engineer
>> Phone: 301.628.5642
>> Cell: 240.338.1059
>> _______________________________________________
>> Open.ogc mailing list
>> Open.ogc at list.woc.noaa.gov
>> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>
>
>
>
> --
> Tim Haverland
> Acting Operations Branch Chief
> NOAA Fisheries Office of Science and Technology
> 1315 East-West Highway
> SSMC3 Rm 12303
> Silver Spring, MD 20910
> 301-427-8137



-- 
Chi Y Kang
Principal Engineer
Phone: 301.628.5642
Cell: 240.338.1059

More information about the Open.ogc mailing list