GWT cross-domain requests works in Chrome/FF, fail in IE/Opera

370 views
Skip to first unread message

ussuri

unread,
Jan 10, 2012, 2:23:35 PM1/10/12
to Google Web Toolkit
Hello!

I serve my gwt-based app from Google AppEngine from
<myapp>.appspot.com - both the script (GWT) and data (XMLHTTPRequest
POSTs). If I open https://<myapp>.appspot.com/app.html, everything
works perfectly in all modern browsers.

However, I want to serve the .html page from my custom domain in order
to use SSL: https://mydomain.com/app.html

I modified app.html to include script from appspot; I use a <div> and
do RootPanel.get("my_div"). I hard-coded appspot URLs for POSTs.

This solution works perfectly in Chrome and Firefox with <add-linker
name="xsiframe"/> (or "xs") - I open an HTTPS URL from my custom
domain, it loads GWT via https from appspot.com, and do AJAX
communication (not GWT-RPC, but pure ajax) with my appspot.com app via
ssl/https.

BUT, in IE and Opera the page opens, GWT renders the content in the
page, but AJAX requests fails with XS-origin errors:

com.google.gwt.http.client.RequestPermissionException: The URL
https://***.appspot.com/*** is invalid or violates the same-origin
security restriction

I do set "Access-Control-XXX" headers in my servlet (java), and I
tried to set "X-XSS-Protection" to "0" in my custom domain, but still
IE and Opera do not let me query to appspot.

What can I do to let IE at least to allow posting to appspot.com?

Thanks,
MG

darkflame

unread,
Jan 11, 2012, 4:05:24 AM1/11/12
to Google Web Toolkit
I dont know about IE, but try Opera12 as cross-domain support via CORS
was only added on that version.

karim duran

unread,
Jan 11, 2012, 4:52:36 AM1/11/12
to google-we...@googlegroups.com
Hi darkflame,

As you see, all browsers don't support cross-domain scripting.
The good practice is to avoid cross-domain scripting.

Why ? Because for the moment, it's a W3C draft and not yet implemented
by browsers all implementors.

http://www.w3.org/TR/access-control/

So, your application might not work on any browser, because you don't
know if your application user use a compatible browser.

But, there is an issue :

If you need data from another domain, let request the data from server
side, then transmit the data back to the client.


CLIENT --------------------------> server your app
-------------------------> other domain
<----------------------------------------
<--------------------------------------------

There is a lot of library ( apache client HTTP, Google, REST, etc....)
you can use to do that.

In my opinion, cross domain scripting is a real security problem.

I hope it helps.
Regards.

Karim Duran

2012/1/11 darkflame <dark...@gmail.com>:

> --
> You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
> To post to this group, send email to google-we...@googlegroups.com.
> To unsubscribe from this group, send email to google-web-tool...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
>

ussuri

unread,
Jan 11, 2012, 9:48:53 AM1/11/12
to Google Web Toolkit
OK, I figured it out with IE - their XDomainRequest object (http://
msdn.microsoft.com/en-us/library/cc288060(v=vs.85).aspx) supports
CORS. And if Opera is going to support it in Opera 12, all major
browsers are covered.
Reply all
Reply to author
Forward
0 new messages