Adding dev@ On Tue, Jan 26, 2016 at 3:06 PM, Fazlan Nazeem <[email protected]> wrote:
> > Cross origin calls are not supported in ML at the moment. This issue was > raised when Miyuru/Thamali were working with Swagger previously. Also I > came across this issue when I had to make make REST api calls from Zeppelin > notebook server and Nethaji was facing the same issue with building the > recommendation site. > > The issue can be fixed by adding a filter with the following configuration > to web.xml of api.war. > > <filter> > <filter-name>CorsFilter</filter-name> > <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> > <init-param> > <param-name>cors.allowed.methods</param-name> > <param-value>GET,POST,HEAD,OPTIONS,PUT,DELETE</param-value> > </init-param> > <init-param> > <param-name>cors.allowed.headers</param-name> > <param-value> > > Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers, > *Authorization* > </param-value> > </init-param> > </filter> > > > There are couple of things which should be noted. > > - A cross origin call is identified by the "*Origin*" header of the > request. > - With this filter all cross origin calls will be diverted through > this filter and the request will be successfully served. > - The browser automatically adds the Origin header to a request if it > sees that an api call is made to an external host. > - If a cross origin request is invalid it will send a 403 forbidden > error to the requester. (This is done by the filter) > > > Importatnt: > > > - With some reading[6] and debugging I have found out that > Chrome/Safari adds the origin header to all* POST/PUT/DELETE *requests > even if it is sent to the same origin. Firefox does not add the origin > header for same origin requests. > - Since Chrome adds the origin header to non-cors requests, all Ajax > requests should be in valid format in order to avoid the 403 error > mentioned above. > - We have some Ajax calls which are not in valid format (The > "contentType" header is missing). These requests will work without the > filter. But will throw a 403 after adding the filter in Chrome and still > remain to work in Firefox. > > > I have found 5 places[1,2,3,4,5] where we have missed to mention the* > contentType* of a (POST/PUT/DELETE) request. If you come across any such > places, please fix them. > > Also would like to know if anyone is aware of fixing this issue from a > better approach. > > [1] > https://github.com/wso2/carbon-ml/blob/master/apps/ml/site/model/model.jag#L196 > [2] > https://github.com/wso2/carbon-ml/blob/master/apps/ml/site/analysis/analysis.jag#L623 > [3] > https://github.com/wso2/carbon-ml/blob/master/apps/ml/site/analysis/analysis.jag#L642 > [4] > https://github.com/wso2/carbon-ml/blob/master/apps/ml/site/project/compare.jag#L832 > [5] > https://github.com/wso2/carbon-ml/blob/master/apps/ml/site/project/compare.jag#L850 > > [6] http://stackoverflow.com/questions/13851946/header-origin-vs-host > > -- > Thanks & Regards, > > Fazlan Nazeem > > *Software Engineer* > > *WSO2 Inc* > Mobile : +94772338839 > <%2B94%20%280%29%20773%20451194> > [email protected] > -- Thanks & Regards, Fazlan Nazeem *Software Engineer* *WSO2 Inc* Mobile : +94772338839 <%2B94%20%280%29%20773%20451194> [email protected]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
