Re: [Xsltforms-support] cross-domain questions again
Brought to you by:
alain-couthures
Menu
▾
▴
Re: [Xsltforms-support] cross-domain questions again
|
From: <bc...@sh...> - 2016-10-11 08:17:33
|
Hi Thank you for the response and the food for though it has provided regarding the use of a proxy of some sort as a 'get around'. After all this time, I would have thought that some progress would have been made to allow cross-domain resource access that respects a balance of functionality requirement and security. Perhaps it is a little more risky and troublesome than I can imagine. I will give your suggestion some thought. Thank you again. Habs On 10 October 2016 at 21:38, C. M. Sperberg-McQueen < cm...@bl...> wrote: > > > On Oct 10, 2016, at 6:23 AM, bc...@sh... wrote: > > > > Hello xsltforms-support@ > > > > I think I understand correctly that it is not allowed to POST/PUT a > resource to a domain other than the one the xform was loaded from. > > > > Is it possible to GET a resource from a different domain to the one the > xform was loaded from please? > > If it is, I haven’t figured out how. (There may be ways to set the > browser configuration to allow it, but I haven’t figured out how to do > it for myself, let alone explain to users what they would have to do. > You may have better luck in that regard.) > > In my experience, dealing with the Same-Origin policy in the > browser is one of the most challenging issues in deploying XForms > solutions. (Challenging in part because it seems to be hard to > get clear accurate information about what exactly browsers do > and don’t allow, and challenging because for those not actively > engaged in security work the restrictions often appear arbitrary, > capricious, and unmotivated. I have been told on good authority > that they really aren’t, but it’s hard to believe that, given that the > browser vendors don’t enforce similar constraints against > Javascript.) > > What I end up doing is configuring Apache on my server to work > as a proxy server, and specifying in the .htaccess configuration > file for a particular directory that if the user requests resource > XYZ/W/VU.xml from that directory, the server should fetch > http://ww.otherserver.example.com/W/XYZ/VU.xml (or whatever) > and send it to the client. > > In shared hosting environments, the service provider sometimes > won’t allow using Apache as a proxy; in that case, I write a simple > bash or PHP script to do essentially the same thing (taking care to > serve a clearly identified set of URIs from a clearly identified > originating host, to try to minimize whatever security exposure there > is in such a proxy service). > > I hope this helps. > > ******************************************** > C. M. Sperberg-McQueen > Black Mesa Technologies LLC > cm...@bl... > http://www.blackmesatech.com > ******************************************** > > |
