[Open.ogc] CORS Support for services.ogc.noaa.gov
Tim Haverland - NOAA Federal
tim.haverland at noaa.gov
Thu Jun 27 17:41:34 UTC 2013
Still get ...
Request header field X-Requested-With is not allowed by
Access-Control-Allow-Headers.
case sensitive?
On Thu, Jun 27, 2013 at 1:32 PM, Chi Kang - NOAA Federal <
chi.y.kang at noaa.gov> wrote:
> Give it a try now.
>
> $ lwp-request -UsSe -d "http://services.ogc.noaa.gov/geoserver/index.html
> "
> GET http://services.ogc.noaa.gov/geoserver/index.html
> User-Agent: lwp-request/5.810
>
> GET http://services.ogc.noaa.gov/geoserver/index.html --> 200 OK
> Connection: close
> Date: Thu, 27 Jun 2013 17:31:45 GMT
> Server: Apache
> Vary: Accept-Encoding
> Content-Length: 657
> Content-Type: text/html;charset=UTF-8
> Content-Type: text/html; charset=ISO-8859-1
> Last-Modified: Thu, 05 Jul 2012 04:25:38 GMT
> Access-Control-Allow-Headers: origin, x-requested-with
> Access-Control-Allow-Origin: *
> Client-Date: Thu, 27 Jun 2013 17:31:45 GMT
> Client-Peer: 140.172.17.218:80
> Client-Response-Num: 1
>
> On Thu, Jun 27, 2013 at 1:30 PM, Tim Haverland - NOAA Federal
> <tim.haverland at noaa.gov> wrote:
> > Now I get:
> >
> > Request header field X-Requested-With is not allowed by
> > Access-Control-Allow-Headers.
> >
> > So it looks like my origin passed but header failed.
> >
> >
> > On Tue, Jun 25, 2013 at 1:28 PM, Chi Kang - NOAA Federal
> > <chi.y.kang at noaa.gov> wrote:
> >>
> >> Give it a go.
> >>
> >> On Fri, Jun 21, 2013 at 11:48 AM, Micah Wengren <micah.wengren at noaa.gov
> >
> >> wrote:
> >> > Great! Let us know the outcome.....
> >> >
> >> > Micah
> >> >
> >> >
> >> > On 6/21/2013 11:35 AM, Tim Haverland - NOAA Federal wrote:
> >> >
> >> > Thanks Chi - standing by to test as soon as you can implement this.
> >> >
> >> > Tim
> >> >
> >> >
> >> > On Fri, Jun 21, 2013 at 11:25 AM, Chi Kang - NOAA Federal
> >> > <chi.y.kang at noaa.gov> wrote:
> >> >>
> >> >> Yea, i'm reading the same thing here. For the sake of argument /
> >> >> testing let me try "*" and have Tim validate this.
> >> >>
> >> >>
> >> >> On Thu, Jun 20, 2013 at 8:36 AM, Micah Wengren <
> micah.wengren at noaa.gov>
> >> >> wrote:
> >> >> > I think it may involve a more complicated way to allow by TLD or
> >> >> > .noaa.gov.
> >> >> > Like you said yesterday Chi *.noaa.gov might be a valid value for
> >> >> > that
> >> >> > header. The server might need to dynamically read the Origin
> header
> >> >> > from
> >> >> > the request and return the same URL if it matches a rule. See:
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> http://www.cameronstokes.com/2010/12/26/cross-origin-resource-sharing-and-apache-httpd/
> >> >> > or
> >> >> >
> >> >> >
> >> >> >
> http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains
> >> >> >
> >> >> > Might be more complicated than we expected to allow a specific
> domain
> >> >> > instead of "*".
> >> >> >
> >> >> > Micah
> >> >> >
> >> >> >
> >> >> >
> >> >> > On 6/19/2013 4:25 PM, Tim Haverland - NOAA Federal wrote:
> >> >> >
> >> >> > Chi - if services.ogc.noaa.gov does not allow the header
> >> >> > x-requested-with,
> >> >> > and openlayers is sending that header, wouldn't that be a likely
> >> >> > source
> >> >> > of a
> >> >> > problem?
> >> >> >
> >> >> > I agree that the error message points to an Origin issue, not
> >> >> > headers,
> >> >> > but
> >> >> > it's possible that the error reported by chrome is not that helpful
> >> >> > in
> >> >> > pinpointing the actual problem.
> >> >> >
> >> >> > Regarding the Origin, my request is coming from a noaa.govserver, so
> >> >> > I
> >> >> > can't think of any other reason why my request is being rejected on
> >> >> > an
> >> >> > Origin basis. You are accepting *.noaa.gov so I'd think it would
> be
> >> >> > accepted.
> >> >> >
> >> >> > Tim
> >> >> >
> >> >> >
> >> >> >
> >> >> > On Wed, Jun 19, 2013 at 3:01 PM, Micah Wengren
> >> >> > <micah.wengren at noaa.gov>
> >> >> > wrote:
> >> >> >>
> >> >> >> Chi, I think it's the best option we have from a troubleshooting
> >> >> >> perspective. Other than that, I don't really have an answer
> myself,
> >> >> >> this
> >> >> >> particular topic isn't an area I'm especially familiar with. It
> >> >> >> would
> >> >> >> be
> >> >> >> nice to see what is required in order to support this type of
> >> >> >> communication
> >> >> >> with services.ogc.noaa.gov from NOAA users who want to deploy
> simple
> >> >> >> web
> >> >> >> pages connecting to the services. Tim's use case is a good model
> >> >> >> for
> >> >> >> what
> >> >> >> other users might want.
> >> >> >>
> >> >> >> Any suggestions welcome for what else to test though. It might be
> >> >> >> that
> >> >> >> we
> >> >> >> need to tell users that their Access-Control-Request-Headers needs
> >> >> >> to
> >> >> >> not
> >> >> >> contain any custom header names in order for CORS to work (if this
> >> >> >> was
> >> >> >> indeed the cause for the failure message).
> >> >> >>
> >> >> >> Micah
> >> >> >>
> >> >> >>
> >> >> >> On 6/19/2013 2:20 PM, Chi Kang - NOAA Federal wrote:
> >> >> >>>
> >> >> >>> Explain to me why you think allowing
> >> >> >>> Access-Control-Request-Headers:
> >> >> >>> x-requested-with would solve this problem?
> >> >> >>>
> >> >> >>>
> >> >> >>> On Tue, Jun 18, 2013 at 5:33 PM, Tim Haverland - NOAA Federal
> >> >> >>> <tim.haverland at noaa.gov> wrote:
> >> >> >>>>
> >> >> >>>> OK, I was able to publish my page to our test server, and
> there's
> >> >> >>>> no
> >> >> >>>> port
> >> >> >>>> appended to the origin:
> >> >> >>>>
> >> >> >>>> Accept:
> >> >> >>>> */*
> >> >> >>>> Accept-Encoding:
> >> >> >>>> gzip,deflate,sdch
> >> >> >>>> Accept-Language:
> >> >> >>>> en-US,en;q=0.8
> >> >> >>>> Access-Control-Request-Headers:
> >> >> >>>> origin, x-requested-with
> >> >> >>>> Access-Control-Request-Method:
> >> >> >>>> GET
> >> >> >>>> Cache-Control:
> >> >> >>>> no-cache
> >> >> >>>> Connection:
> >> >> >>>> keep-alive
> >> >> >>>> Host:
> >> >> >>>> services.ogc.noaa.gov
> >> >> >>>> Origin:
> >> >> >>>> http://www.st-test.nmfs.noaa.gov
> >> >> >>>> Pragma:
> >> >> >>>> no-cache
> >> >> >>>> Referer:
> >> >> >>>> http://www.st-test.nmfs.noaa.gov/appstech/map-test
> >> >> >>>> User-Agent:
> >> >> >>>> Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
> >> >> >>>> like
> >> >> >>>> Gecko)
> >> >> >>>> Chrome/27.0.1453.110 Safari/537.36
> >> >> >>>>
> >> >> >>>>
> >> >> >>>> Still get the error:
> >> >> >>>>
> >> >> >>>> Origin http://www.st-test.nmfs.noaa.gov is not allowed by
> >> >> >>>> Access-Control-Allow-Origin
> >> >> >>>>
> >> >> >>>> WOC, can you allow the header x-requested-with to see if that
> >> >> >>>> fixes
> >> >> >>>> the
> >> >> >>>> problem?
> >> >> >>>>
> >> >> >>>> Tim
> >> >> >>>>
> >> >> >>>>
> >> >> >>>> On Tue, Jun 18, 2013 at 4:26 PM, Micah Wengren
> >> >> >>>> <micah.wengren at noaa.gov>
> >> >> >>>> wrote:
> >> >> >>>>>
> >> >> >>>>> Tim,
> >> >> >>>>>
> >> >> >>>>> I found this:
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>>
> http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request
> >> >> >>>>>
> >> >> >>>>> It sounds like jQuery or some part of the CMS is trying to ask
> >> >> >>>>> whether
> >> >> >>>>> the
> >> >> >>>>> server will accept a header 'x-requested-with'. I'm sure
> that's
> >> >> >>>>> not
> >> >> >>>>> required for OpenLayers, but it's being inserted anyway by some
> >> >> >>>>> part
> >> >> >>>>> of
> >> >> >>>>> your
> >> >> >>>>> site code. I don't know if that would cause the disallowed
> >> >> >>>>> origin
> >> >> >>>>> error
> >> >> >>>>> message you're seeing if the non-standard header isn't
> supported
> >> >> >>>>> or
> >> >> >>>>> not, but
> >> >> >>>>> if it is, there must be some way to disable that within the
> >> >> >>>>> application, or
> >> >> >>>>> this might get kinda complicated to get working.
> >> >> >>>>>
> >> >> >>>>> Either way, are you sure that the port on your server isn't the
> >> >> >>>>> issue?
> >> >> >>>>> From doing a little reading, it seems that since you're using
> a
> >> >> >>>>> non-standard
> >> >> >>>>> port, the 'Origin' header your site will be submitting should
> >> >> >>>>> look
> >> >> >>>>> like
> >> >> >>>>> this:
> >> >> >>>>>
> >> >> >>>>> Origin: http://triggerfish2.nmfs.noaa.gov:9992
> >> >> >>>>>
> >> >> >>>>> It's possible that that might not match the rules in our
> >> >> >>>>> 'Access-Control-Allow-Origin' setting, if it's only a plain
> >> >> >>>>> string
> >> >> >>>>> comparison or something that Apache does.
> >> >> >>>>>
> >> >> >>>>> Micah
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>> On 6/18/2013 2:41 PM, Tim Haverland - NOAA Federal wrote:
> >> >> >>>>>
> >> >> >>>>> I don't know the inner workings of our content management
> system,
> >> >> >>>>> so
> >> >> >>>>> not
> >> >> >>>>> sure what's sending the x-requested-with header; however, I
> read
> >> >> >>>>> that
> >> >> >>>>> this
> >> >> >>>>> is pretty common with Ajax requests, especially from jQuery.
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>> On Tue, Jun 18, 2013 at 2:22 PM, Micah Wengren
> >> >> >>>>> <micah.wengren at noaa.gov>
> >> >> >>>>> wrote:
> >> >> >>>>>>
> >> >> >>>>>> Hi open.ogc at list.woc.noaa.gov,
> >> >> >>>>>>
> >> >> >>>>>> I'm sending this thread I've been on with Tim back to the
> email
> >> >> >>>>>> list
> >> >> >>>>>> to
> >> >> >>>>>> see if we can expedite troubleshooting what the issue is with
> a
> >> >> >>>>>> CORS
> >> >> >>>>>> request
> >> >> >>>>>> from Tim's development server to services.ogc.noaa.gov. He's
> >> >> >>>>>> connecting
> >> >> >>>>>> from:
> >> >> >>>>>>
> >> >> >>>>>> http://triggerfish2.nmfs.noaa.gov:9992
> >> >> >>>>>>
> >> >> >>>>>> and trying to display one of our services on an OpenLayers map
> >> >> >>>>>> (and
> >> >> >>>>>> do
> >> >> >>>>>> a
> >> >> >>>>>> GetFeatureInfo request, which leads to the need for CORS
> >> >> >>>>>> support).
> >> >> >>>>>>
> >> >> >>>>>>
> >> >> >>>>>> I don't really have the answer to his question, anyone at the
> >> >> >>>>>> WOC
> >> >> >>>>>> know
> >> >> >>>>>> about accepting non-standard headers?
> >> >> >>>>>>
> >> >> >>>>>> Tim, do you know why this header is required from your side,
> and
> >> >> >>>>>> what
> >> >> >>>>>> the
> >> >> >>>>>> server should be doing with it?
> >> >> >>>>>>
> >> >> >>>>>> Thanks,
> >> >> >>>>>> Micah
> >> >> >>>>>>
> >> >> >>>>>> On 6/18/2013 2:05 PM, Tim Haverland - NOAA Federal wrote:
> >> >> >>>>>>
> >> >> >>>>>> Yeah, doesn't look like the port is an issue, however, my
> >> >> >>>>>> request
> >> >> >>>>>> is
> >> >> >>>>>> sent
> >> >> >>>>>> with these headers:
> >> >> >>>>>>
> >> >> >>>>>> Access-Control-Request-Headers:
> >> >> >>>>>> origin, x-requested-with
> >> >> >>>>>>
> >> >> >>>>>>
> >> >> >>>>>> I've read that the server may need to accept "non-standard"
> >> >> >>>>>> headers.
> >> >> >>>>>> x-requested-with is a non-standard header. Is this accepted on
> >> >> >>>>>> the
> >> >> >>>>>> server
> >> >> >>>>>> side?
> >> >> >>>>>>
> >> >> >>>>>> Tim
> >> >> >>>>>>
> >> >> >>>>>>
> >> >> >>>>>> On Tue, Jun 18, 2013 at 1:35 PM, Tim Haverland - NOAA Federal
> >> >> >>>>>> <tim.haverland at noaa.gov> wrote:
> >> >> >>>>>>>
> >> >> >>>>>>> yes, response header says:
> >> >> >>>>>>>
> >> >> >>>>>>> Access-Control-Allow-Origin:
> >> >> >>>>>>> *.noaa.gov
> >> >> >>>>>>>
> >> >> >>>>>>>
> >> >> >>>>>>>
> >> >> >>>>>>> On Tue, Jun 18, 2013 at 1:32 PM, Micah Wengren - NOAA Federal
> >> >> >>>>>>> <micah.wengren at noaa.gov> wrote:
> >> >> >>>>>>>>
> >> >> >>>>>>>> Hi Tim,
> >> >> >>>>>>>>
> >> >> >>>>>>>> I don't know what bearing ports have on CORS. Everything
> from
> >> >> >>>>>>>> noaa.gov
> >> >> >>>>>>>> should be allowed though. If you examine http headers with
> >> >> >>>>>>>> firebug
> >> >> >>>>>>>> or
> >> >> >>>>>>>> something you should be able to see the rule Chi added in
> the
> >> >> >>>>>>>> header
> >> >> >>>>>>>> list.
> >> >> >>>>>>>> I believe he would have added it for both http and https,
> but
> >> >> >>>>>>>> I'd
> >> >> >>>>>>>> have to
> >> >> >>>>>>>> check. Not at my machine right now. It's more important for
> >> >> >>>>>>>> http
> >> >> >>>>>>>> in
> >> >> >>>>>>>> this
> >> >> >>>>>>>> case...
> >> >> >>>>>>>>
> >> >> >>>>>>>> Micah
> >> >> >>>>>>>>
> >> >> >>>>>>>>
> >> >> >>>>>>>>
> >> >> >>>>>>>> On Tuesday, June 18, 2013, Tim Haverland - NOAA Federal
> >> >> >>>>>>>> <tim.haverland at noaa.gov> wrote:
> >> >> >>>>>>>>>
> >> >> >>>>>>>>> Micah, is CORS supported on the production version of
> >> >> >>>>>>>>> geoserver?
> >> >> >>>>>>>>> I'm
> >> >> >>>>>>>>> trying to implement my map in our content management
> system,
> >> >> >>>>>>>>> and
> >> >> >>>>>>>>> get the
> >> >> >>>>>>>>> following error:
> >> >> >>>>>>>>> Origin http://triggerfish2.nmfs.noaa.gov:9992 is not
> allowed
> >> >> >>>>>>>>> by
> >> >> >>>>>>>>> Access-Control-Allow-Origin.
> >> >> >>>>>>>>>
> >> >> >>>>>>>>> Maybe it's the port that's throwing things off?
> >> >> >>>>>>>>> Tim
> >> >> >>>>>>>>>
> >> >> >>>>>>>>> On Thu, Jun 13, 2013 at 1:27 PM, Micah Wengren - NOAA
> Federal
> >> >> >>>>>>>>> <micah.wengren at noaa.gov> wrote:
> >> >> >>>>>>>>>>
> >> >> >>>>>>>>>> Hi Tim,
> >> >> >>>>>>>>>>
> >> >> >>>>>>>>>> We have *.noaa.gov enabled anyway for CORS support now.
> If
> >> >> >>>>>>>>>> you
> >> >> >>>>>>>>>> can
> >> >> >>>>>>>>>> copy your openlayers page to your dev server and test it
> out
> >> >> >>>>>>>>>> and
> >> >> >>>>>>>>>> let me know
> >> >> >>>>>>>>>> if it works, that would be great. Whenever you get a
> chance,
> >> >> >>>>>>>>>> no
> >> >> >>>>>>>>>> rush.
> >> >> >>>>>>>>>>
> >> >> >>>>>>
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>> --
> >> >> >>>>> Tim Haverland
> >> >> >>>>> Acting Operations Branch Chief
> >> >> >>>>> NOAA Fisheries Office of Science and Technology
> >> >> >>>>> 1315 East-West Highway
> >> >> >>>>> SSMC3 Rm 12303
> >> >> >>>>> Silver Spring, MD 20910
> >> >> >>>>> 301-427-8137
> >> >> >>>>>
> >> >> >>>>>
> >> >> >>>>
> >> >> >>>>
> >> >> >>>> --
> >> >> >>>> Tim Haverland
> >> >> >>>> Acting Operations Branch Chief
> >> >> >>>> NOAA Fisheries Office of Science and Technology
> >> >> >>>> 1315 East-West Highway
> >> >> >>>> SSMC3 Rm 12303
> >> >> >>>> Silver Spring, MD 20910
> >> >> >>>> 301-427-8137
> >> >> >>>>
> >> >> >>>> _______________________________________________
> >> >> >>>> Open.ogc mailing list
> >> >> >>>> Open.ogc at list.woc.noaa.gov
> >> >> >>>> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
> >> >> >>>>
> >> >> >>>
> >> >> >>>
> >> >> >>
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Tim Haverland
> >> >> > Acting Operations Branch Chief
> >> >> > NOAA Fisheries Office of Science and Technology
> >> >> > 1315 East-West Highway
> >> >> > SSMC3 Rm 12303
> >> >> > Silver Spring, MD 20910
> >> >> > 301-427-8137
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Chi Y Kang
> >> >> Principal Engineer
> >> >> Phone: 301.628.5642
> >> >> Cell: 240.338.1059
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Tim Haverland
> >> > Acting Operations Branch Chief
> >> > NOAA Fisheries Office of Science and Technology
> >> > 1315 East-West Highway
> >> > SSMC3 Rm 12303
> >> > Silver Spring, MD 20910
> >> > 301-427-8137
> >> >
> >> >
> >> > _______________________________________________
> >> > Open.ogc mailing list
> >> > Open.ogc at list.woc.noaa.gov
> >> > https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > Open.ogc mailing list
> >> > Open.ogc at list.woc.noaa.gov
> >> > https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
> >> >
> >>
> >>
> >>
> >> --
> >> Chi Y Kang
> >> Principal Engineer
> >> Phone: 301.628.5642
> >> Cell: 240.338.1059
> >> _______________________________________________
> >> Open.ogc mailing list
> >> Open.ogc at list.woc.noaa.gov
> >> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
> >
> >
> >
> >
> > --
> > Tim Haverland
> > Acting Operations Branch Chief
> > NOAA Fisheries Office of Science and Technology
> > 1315 East-West Highway
> > SSMC3 Rm 12303
> > Silver Spring, MD 20910
> > 301-427-8137
>
>
>
> --
> Chi Y Kang
> Principal Engineer
> Phone: 301.628.5642
> Cell: 240.338.1059
>
--
*Tim Haverland*
Acting Operations Branch Chief
NOAA Fisheries Office of Science and Technology
1315 East-West Highway
SSMC3 Rm 12303
Silver Spring, MD 20910
301-427-8137
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.woc.noaa.gov/pipermail/open.ogc/attachments/20130627/195ad8bb/attachment-0001.html>
More information about the Open.ogc
mailing list