Re: [Xsltforms-support] cross-domain questions again
Brought to you by:
alain-couthures
Menu
▾
▴
Re: [Xsltforms-support] cross-domain questions again
|
From: C. M. Sperberg-M. <cm...@bl...> - 2016-10-11 08:40:41
|
> On Oct 10, 2016, at 6:23 AM, bc...@sh... wrote: > > Hello xsltforms-support@ > > I think I understand correctly that it is not allowed to POST/PUT a resource to a domain other than the one the xform was loaded from. > > Is it possible to GET a resource from a different domain to the one the xform was loaded from please? If it is, I haven’t figured out how. (There may be ways to set the browser configuration to allow it, but I haven’t figured out how to do it for myself, let alone explain to users what they would have to do. You may have better luck in that regard.) In my experience, dealing with the Same-Origin policy in the browser is one of the most challenging issues in deploying XForms solutions. (Challenging in part because it seems to be hard to get clear accurate information about what exactly browsers do and don’t allow, and challenging because for those not actively engaged in security work the restrictions often appear arbitrary, capricious, and unmotivated. I have been told on good authority that they really aren’t, but it’s hard to believe that, given that the browser vendors don’t enforce similar constraints against Javascript.) What I end up doing is configuring Apache on my server to work as a proxy server, and specifying in the .htaccess configuration file for a particular directory that if the user requests resource XYZ/W/VU.xml from that directory, the server should fetch http://ww.otherserver.example.com/W/XYZ/VU.xml (or whatever) and send it to the client. In shared hosting environments, the service provider sometimes won’t allow using Apache as a proxy; in that case, I write a simple bash or PHP script to do essentially the same thing (taking care to serve a clearly identified set of URIs from a clearly identified originating host, to try to minimize whatever security exposure there is in such a proxy service). I hope this helps. ******************************************** C. M. Sperberg-McQueen Black Mesa Technologies LLC cm...@bl... http://www.blackmesatech.com ******************************************** |
