@weheh, the quick fix would be using custom ajax function instead of using web2py_component. It's meant to be used with server-side LOAD helper. Since you can't create CORS component using LOAD, I'm not sure if web2py_component should work with CORS either.
So, instead of calling web2py_component, you should write your own javascript function that, using $.ajax, sends CORS requests and handles it. Marin On Sat, Dec 21, 2013 at 4:19 PM, Marin Pranjić <marin.pran...@gmail.com>wrote: > Hello, > > I tried to trace down the problem. > > If you sign an url on different scheme (http -> https) everything works > when opened manually in browser. > But when opening it async, for example using $.ajax, current.session is > empty. > This causes URL.Verify to return False because there is no session.auth > record stored. > > CORS requests assign new session ID every time. Why? Because cookies are > not sent. > The jQuery 'fix' is described here: > http://stackoverflow.com/questions/8863571/cors-request-why-are-the-cookies-not-sent > > Solution includes adding xhrFields: {withCredentials: true}. > > Should this be treated as a bug in JS-part of components load? > > > Marin > > > On Sat, Dec 21, 2013 at 3:44 PM, weheh <richard_gor...@verizon.net> wrote: > >> I am dead in the water trying to make an https ajax call from an http >> session. CORS is enabled on server but the web2py_component https URL with >> user_signature=True now triggers an erroneous non-logged-in response to >> auth.is_logged_in() when, in fact, the user is logged in. >> >> First, thanks to Marin Pranjić's help, I am able to articulate the above >> statement. A little while ago I couldn't have done so. >> >> The trouble with auth.is_logged_in() is mirrored by an error raised by >> @auth.requires_signature(). In response to an experiment designed by Marin, >> I documented the following: >> >>> If I put the @auth.requires_signature() decorator back into the >>> controller and reexecute, I get the Firebug error message: >>> XMLHttpRequest cannot load https://www.blah >>> blah<https://www.yakitome.com/store/checkout.load?pid=1&_signature=e5308784ae38c2f5f1a67552b4143bf7b9adeca1>. >>> The request was redirected to >>> 'https://www.mydomain.com/user/login.load?_next=/blah >>> blah<https://www.yakitome.com/user/login.load?_next=/store/checkout.load%3Fpid%3D1>', >>> which is disallowed for cross-origin requests that require preflight. >>> >>> >> Marin replied, >> >>> As I expected, auth.requires_signature looks broken. Give me some time, >>> I am very busy, but I'll try to give you solution. >>> Maybe URL.verify instead of decorator. >> >> >> Now, I have that auth.is_logged_in() in a critical spot and >> @auth.requires_signature() decorators on many functions that are now >> negatively impacted by this issue. So my sense of urgency is higher than my >> normal constant sense of urgency. I've been stuck on this for many days so >> I think I'm ready to ask for as much help as possible. Please. >> >> Thank you Marin and the web2py community for all the excellent support. >> Any suggestions about how to proceed, including from Marin, are appreciated. >> >> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to web2py+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.