Re: [Xsltforms-support] two questions about the loading of instances

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Feb 23, 2011, at 1:48 AM, COUTHURES Alain wrote:

> Hello Michael,
> 
>> A form I've written is behaving in an unexpected way; I wonder if
>> there is a flaw in the way XSLTForms is loading this external instance
>> or if there is a flaw in my expectations or my form.
>> 
>> I've made a simplified version of the form and placed it at
>> 
>>   http://www.blackmesatech.com/2011/02/test.xhtml
>> 
>> Short description: specifying an instance on another site leads either
>> to a cross-site scripting error (more or less expected), or to a parse
>> error because the browser (? or someone -- who?) is trying to parse
>> the external XML document as Javascript.   Main question:  what is
>> going on?
>> 
> Here is my short answer ;-)

Thank you very much.  

> 
> The cross-domain feature in XSLTForms is experimental. It is limited to JSONP because it appears to be the unique possibility. I will present this at XML Prague 2011!

OK!  I look forward to the talk.

> 
>> I didn't think this would work, since I expected it to raise an
>> immediate cross-site scripting error, but I made the change anyway so
>> I could transcribe the precise wording of the error message and
>> persuade the system administrator that his suggestion would not work
>> and we'll need to work something else out.  To my surprise, the form
>> appears to be loading the document, without raising a cross-site
>> scripting error (at least not in Safari).  But it's not initializing
>> the instance successfully.
>> 
>> The demo test form has two instances, A and B.  A is internal and is
>> only there to illustrate that some things do work as expected.  B is
>> external and from a different domain (here, the form is on
>> www.blackmesatech.com and instance B is served from
>> tei2010.blackmesatech.com).
>> 
>> The Safari activity window, the browser debugging tools in various
>> browsers, and my server logs all show that when the form requests
>> document B, it's appending '&callback=jsoninst' to the URI.  So
>> instead of a request for
>> 
>>   http://tei2010.blackmesatech.com/data/Gorbals/gorbals-1851-status-codes.xml
>> 
>> the server is receiving a request for
>> 
>>   http://tei2010.blackmesatech.com/data/Gorbals/gorbals-1851-status-codes.xml&callback=jsoninst
>> 
>> which doesn't exist.  When I first encountered this problem, the URI
>> in question already contained query parameters, so the
>> "&callback=jsoninst" at the end was just one more and the document is
>> served normally regardless.
>> 
>> So my first question is: should the code that appends
>> "callback=jsoninst" check to see whether there are already query
>> parameters, and use "?" instead of "&" if there are not?
>> 
>> For testing purposes, I've changed the relevant line in the definition
>> of XFInstance.prototype.construct to
>> 
>>     scriptelt.setAttribute("src", this.src
>>         + ((this.src.indexOf("?") == -1) ? "?" : "&") + "callback=jsoninst");
>> 
>> The server is now receiving a request with "?callback=jsoninst" at the
>> end, and serving the data normally (ignoring the unexpected query
>> parameter).
> Thank you for pointing at this issue. Because it's just experimental, it hadn't been tested yet without any parameter...
> 
> XSLTForms is considering every cross-domain request to be of JSONP kind...

I think that is the key point I failed to understand going in to this
problem.

It makes sense -- indeed, the fact that cross-site scripting restrictions
are not enforced is often given as a reason to prefer JSON to 
XML, so I should have realized that any cross-site loading of data
must use Javascript.

>> 
> This is the way JSONP is working: a call to the callback function is generated by the external server with the JSON object as parameter.

Right.  OK, I think I understand that.

> 
> 
> URL Rewriting might be a workaround:
> 
> I tried adding this line in my localhost .htaccess Apache config file:
> 
> RewriteRule gorbals-1851-status-codes.xml        http://tei2010.blackmesatech.com/data/Gorbals/gorbals-1851-status-codes.xml  [L]
> 
> This way, an HTTP 302 Found code is sent back to the browser to ask for the redirection to be performed locally. Then, the corresponding new request sent by the browser is slightly different from the first one (a Range parameter is present...) and, unfortunately, tei2010.blackmesatech.com, at last, is answering with a 206 Partial Content code and a link-exception is generated...

I will have to do some research to understand this, but it looks as
if it should be worth the effort to learn.  If it's possible
to do simple proxying in this way by adding rewrite rules to the
Apache configuration, that would solve this kind of problem for
many purposes.  Whenever we know, when writing a form, exactly 
what class of documents will be needed from other domains, 
then it would be very convenient to be able to provide proxy
access to them simply by using rewrite rules in the .htaccess
file.

> 
> Activating the Apache proxy mechanism should be another possibility...
> 
> Maybe your system administrator can change something for you in at least one of the servers config files.

Yes.  At the server configuration level, many things are possible.

Michael

-- 
****************************************************************
* C. M. Sperberg-McQueen, Black Mesa Technologies LLC
* http://www.blackmesatech.com 
* http://cmsmcq.com/mib                 
* http://balisage.net
****************************************************************