Started looking at this. I'm a little unclear what I'm suppose to do if JsonRpcServlet receives an OPTIONS request. Right now I was just trying the following (after allowing OPTIONS to pass-thru) right after the setCORSheader:
if ("OPTIONS".equals(method)) { servletResponse.addHeader("Access-Control-Allow-Origin", "*"); servletResponse.addHeader("Access-Control-Max-Age", "3600"); servletResponse.addHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS"); return; } The pre-flight request now succeeds but I don't see any further requests from the javascript. Probably my misunderstanding of CORS and XHR. Any suggestions on how to best implement this? Or perhaps I'm not gonna get off easy with just a few lines of code. :) doug On 3/22/12 5:19 PM, "daviesd" <davi...@oclc.org> wrote: > Again... Thanks Stanton for the quick response. Ok, I'll probably spend a few > days with this next week and see what I can do. I know nothing about CORS, > but I'll start reading up on it. > > doug > > > On 3/22/12 5:13 PM, "Stanton Sievers" <ssiev...@us.ibm.com> wrote: > >> Hi Doug, >> >> That matches my findings as well. I've not heard of anyone running the >> container page and shindig server on different domains without having to >> use a proxy on the container page's domain. >> >> >> I'm sure it can be done it just doesn't appear to work with Shindig out >> of the box. I think more would have to be done to implement CORS for the >> JsonRpcServlet. >> >> Regards, >> -Stanton >> >> >> >> From: daviesd <davi...@oclc.org> >> To: <dev@shindig.apache.org>, >> Date: 03/22/2012 17:08 >> Subject: Re: Shindig running on different domain than container >> REVISITED >> >> >> >> Hi Stanton, >> >> So is your earlier statement about things working just fine running the >> container page and shindig on different domains still true? We are >> running >> a proxy just like you are (actually in production it's a load balancer >> rule). I'd like to know if anyone has this working out of the box without >> a >> proxy and just the API_HOST and API_PATH config. Hopefully someone can >> respond. >> >> Mike started digging into this today and I'll continue next week (I'm in >> class this week), but I think his initial finding is that JsonRpcServlet >> is >> rejecting anything that isn't POST or GET (thus rejecting OPTIONS). >> >> Thanks for the help. >> >> doug >> >> >> On 3/22/12 11:30 AM, "Stanton Sievers" <ssiev...@us.ibm.com> wrote: >> >>> Hi Mike, >>> >>> I'm not sure even setting the headers would work (although I haven't >> tried >>> this in a while). My recollection is that part of CORS is that an >> OPTIONS >>> request is sent to Shindig's rpc endpoint as part of the "pre-flight" >>> step. The rpc servlet doesn't support OPTIONS and will return a 405. >> This >>> is something we could and probably should look at fixing in Shindig but >> no >>> one has taken the time to do so so far as I know. Again, it's been a >>> while since I've investigated this so things may have changed. >>> >>> The alternative, and what I've personally done, is have a proxy on the >>> container page's domain that can proxy the /rpc calls to Shindig. That >>> works just fine. You simply setup your API_HOST and API_PATH to utilize >>> the proxy url. >>> >>> Hope that helps. >>> >>> -Stanton >>> >>> >>> >>> From: Michael Matthews <matth...@oclc.org> >>> To: <dev@shindig.apache.org>, Stanton Sievers/Westford/IBM@Lotus, >>> Cc: Douglas Davies <davi...@oclc.org> >>> Date: 03/22/2012 11:17 >>> Subject: Re: Shindig running on different domain than container >>> REVISITED >>> >>> >>> >>> First of all, thanks for the quick response to this. >>> >>> I've modified our UI to pass the API_HOST and API_PATH as mentioned >> below. >>> I >>> know see an HTTP OPTIONS request failing. From the browser's console: >>> >>> XMLHttpRequest cannot load >>> >> http://worldkat.dev.oclc.org/opensocial/rpc?st=oclc%3AilCK3wGsfqUWqIct7oHK19 >> >>> >>> >> RHViz9iHzb9ON-FGx5SeW_dk80zHiMOislNdLbszrLT-d6tjzTJw97nDIx92xDoCfQ3LW-JuWc8w >>> >> k4HZrHckNYnMG9P1wiZtInHqq9-VqET8W-fusiWAAaazBul0ARi0RI2K6cJINxRZ7-7yhExX_Gny >>> >> IW4PumEVYs9f6-6iRR6WsUEoKGATW13PtUM3NmDNZOhFI2E19l4yTlLibK2r68IN7LY_Lx6QJ6kl >>> >> PN7a_cIe5IYBRFV-SAvcexnCfnnlp5gjbs9unXeGSDIedJesYi8daX0b4-DmUVFUMexi7e3txdCY >>> >> inHExk7XYfbAgjc8Qpi8YEngUiTJzI2E5A02_Eb9B8kf5KEeaR4yKehI3DTKY6JTMCO6dQupqzu7 >>> >> oHDS2n7H3SgCIjpfzBycsrhiioiNJfOInQ0hd3FJ3g9U4geJzz_5mPli-vXB3xL6WaDL5wtXHYYT >>> GGVW0i_tKZKGTsjpFwLmD9gmytlt47pMEPW8zTWg. Origin http://localhost:8080 >>> <http://localhost/> is not allowed by Access-Control-Allow-Origin. >>> >>> The OPTIONS request has the following headers set: >>> >>> Access-Control-Request-Method: POST >>> Origin: http://localhost:8080 >>> Access-Control-Request-Headers: Origin, Content-Type >>> >>> I found the post >>> http://www.mail-archive.com/dev@shindig.apache.org/msg03230.html which >>> suggests additional configuration is required to set this in the PHP >>> version >>> of Shindig. >>> >>> >>> In the java version of shindig, is there additional configuration >> required >>> to set a Access-Control-Allow-Origin header on the response to allow the >>> cross-site request? >>> >>> Thanks >>> Mike >>> >>> >>> On 3/22/12 7:23 AM, "Stanton Sievers" <ssiev...@us.ibm.com> wrote: >>> >>>> From what I understand rpc_relay setup is only needed if you are using >>> the >>>> ifpc transport for rpc. You can force this by setting >> useLegacyProtocol >>>> in your container config but why you would want to do that I do not >>> know. >>>> With modern browsers (html5) Shindig makes use of window.postMessage >>>> (wpm) to do rpc and you don't have to worry about the relay setup. In >>>> general the fallback for non-html 5 browsers is using a flash technique >>> if >>>> possible. If you're interested in the way the rpc transport is chosen, >>>> you can check out rpc.js#getTransport() for more info. >>>> >>>> -Stanton >>>> >>>> >>>> >>>> From: "Davies,Douglas" <davi...@oclc.org> >>>> To: <dev@shindig.apache.org>, >>>> Date: 03/21/2012 20:28 >>>> Subject: Re: Shindig running on different domain than container >>>> REVISITED >>>> >>>> >>>> >>>> Thanks Stanton. So no rpc_relay setup etc.? Seems last time I did this >>> I >>>> ran into that. >>>> >>>> Doug >>>> >>>> Sent from my iPhone >>>> >>>> On Mar 21, 2012, at 3:43 PM, "Stanton Sievers" <ssiev...@us.ibm.com> >>>> wrote: >>>> >>>>> Hi Doug, >>>>> >>>>> Yes, things work just fine running the container page and shindig on >>>>> different domains. You can set the >>>> osapi.container.ServiceConfig.API_HOST >>>>> and osapi.container.ServiceConfig.API_PATH when creating your >>>>> osapi.container.Container object to get the right pointers in place. >>>>> >>>>> Best regards, >>>>> -Stanton >>>>> >>>>> >>>>> >>>>> From: daviesd <davi...@oclc.org> >>>>> To: shindig <dev@shindig.apache.org>, >>>>> Date: 03/21/2012 13:04 >>>>> Subject: Shindig running on different domain than container >>>>> REVISITED >>>>> >>>>> >>>>> >>>>> About a year ago there was a discussion about shindig running on a >>>>> different >>>>> domain than the container. >>>>> >>>>> http://permalink.gmane.org/gmane.comp.web.shindig.devel/6824 >>>>> >>>>> Up till this point we have been running our shindig servers and our >>>>> container webapps on the same domain. We¹d like to move away from >>> this. >>>> >>>>> Is >>>>> this possible with shindig 2.5.0? Have there been changes since this >>>>> discussion? If so, is there documentation on what configuration needs >>>> to >>>>> happen to get this to work? >>>>> >>>>> Thanks, >>>>> Doug >>>>> >>>>> >>>> >>> >>> >>> >> >> >>