Quantcast

Access-Control-Allow-Origin

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Access-Control-Allow-Origin

Gili
Hi,

Does Jersey (or JAX-RS) provide (or plan on providing) official support for CORS?

Please see

http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing
http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/

for some background.

Thank you,
Gili
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access-Control-Allow-Origin

Pavel Bucek-2
Hello Gili,

I don't think so. Do you have some interesting scenario/usecase which
would be possible with Jersey? We do support jsonp, as you most likely
already know..

Regards,
Pavel

On 02/24/2011 04:24 PM, Gili wrote:

> Hi,
>
> Does Jersey (or JAX-RS) provide (or plan on providing) official support for
> CORS?
>
> Please see
>
> http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing
> http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/
>
> for some background.
>
> Thank you,
> Gili
>    

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access-Control-Allow-Origin

Gili
Pavel,

CORS is a superset of JSONP's capabilities. It works with any media-type, as well as with any HTTP method. JSONP is limited to JSON and HTTP GET.

JSONP requires you to make modifications on both server and client-side code. CORS only requires minimal changes on the server and absolutely no changes on the client (no more ugly <script> hacks).

What I'm expecting from Jersey: At minimum we'd need to be able to do HTTP OPTIONS "mixing" (there is already an open JAX-RS issue against this). CORS requires us to read the input headers, evaluate the user's authorization and reply with headers that indicate his/her permissions.

Gili

Pavel Bucek-2 wrote
Hello Gili,

I don't think so. Do you have some interesting scenario/usecase which
would be possible with Jersey? We do support jsonp, as you most likely
already know..

Regards,
Pavel

On 02/24/2011 04:24 PM, Gili wrote:
> Hi,
>
> Does Jersey (or JAX-RS) provide (or plan on providing) official support for
> CORS?
>
> Please see
>
> http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing
> http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/
>
> for some background.
>
> Thank you,
> Gili
>    
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access-Control-Allow-Origin

Rimi
Hi,

Can you please explain what you mean by "we'd need to be able to do HTTP OPTIONS "mixing" (there is already an open JAX-RS issue against this)"?


I am trying to set "Access-Control-Allow-Origin" and other headers and return it from OPTIONS method. However, I don't see that this method is invoked. Here is my code:

    @OPTIONS
    @Path("testme")
    public Response testt(@Context HttpServletResponse servlerResponse) {
        servlerResponse.addHeader("Allow-Control-Allow-Methods", "POST,GET,OPTIONS");
        servlerResponse.addHeader("Access-Control-Allow-Credentials", "true");
        servlerResponse.addHeader("Access-Control-Allow-Origin", "*");
        servlerResponse.addHeader("Access-Control-Allow-Headers", "Content-Type,X-Requested-With");
        servlerResponse.addHeader("Access-Control-Max-Age", "60");
        return Response.ok().build();
    }

    @POST
    @Path("testme")
    public String testme(@Context HttpServletResponse servlerResponse) {
        servlerResponse.addHeader("Allow-Control-Allow-Methods", "POST,GET,OPTIONS");
        servlerResponse.addHeader("Access-Control-Allow-Credentials", "true");
        servlerResponse.addHeader("Access-Control-Allow-Origin", "*");
        servlerResponse.addHeader("Access-Control-Allow-Headers", "Content-Type,X-Requested-With");
        servlerResponse.addHeader("Access-Control-Max-Age", "60");
        return "str";
    }


thank you
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Access-Control-Allow-Origin

Gili
Hi Rimi,

    You are returning Response.ok().build(). Any headers you set above this line get ignored because you're not applying them to the object you are returning. You should do this instead:

    return Response.ok().header("Allow-Control-Allow-Methods", "POST,GET,OPTIONS").build();

Gili

On 27/03/2011 4:38 AM, Rimi [via Jersey] wrote:
Hi,

Can you please explain what you mean by "we'd need to be able to do HTTP OPTIONS "mixing" (there is already an open JAX-RS issue against this)"?


I am trying to set "Access-Control-Allow-Origin" and other headers and return it from OPTIONS method. However, I don't see that this method is invoked. Here is my code:

    @OPTIONS
    @Path("testme")
    public Response testt(@Context HttpServletResponse servlerResponse) {
        servlerResponse.addHeader("Allow-Control-Allow-Methods", "POST,GET,OPTIONS");
        servlerResponse.addHeader("Access-Control-Allow-Credentials", "true");
        servlerResponse.addHeader("Access-Control-Allow-Origin", "*");
        servlerResponse.addHeader("Access-Control-Allow-Headers", "Content-Type,X-Requested-With");
        servlerResponse.addHeader("Access-Control-Max-Age", "60");
        return Response.ok().build();
    }

    @POST
    @Path("testme")
    public String testme(@Context HttpServletResponse servlerResponse) {
        servlerResponse.addHeader("Allow-Control-Allow-Methods", "POST,GET,OPTIONS");
        servlerResponse.addHeader("Access-Control-Allow-Credentials", "true");
        servlerResponse.addHeader("Access-Control-Allow-Origin", "*");
        servlerResponse.addHeader("Access-Control-Allow-Headers", "Content-Type,X-Requested-With");
        servlerResponse.addHeader("Access-Control-Max-Age", "60");
        return "str";
    }


thank you


If you reply to this email, your message will be added to the discussion below:
http://jersey.576304.n2.nabble.com/Access-Control-Allow-Origin-tp6060693p6211931.html
To unsubscribe from Access-Control-Allow-Origin, click here.

Loading...