As to part 2 here "Ok, now for the second thing. How can I make the non-ssl -> ssl protocol switch and not break the Same Origins rules? " - you can't (or at least you shouldn't be able to, if you do it would be a huge hole ;)).
The page you linked there shows the policy pretty clearly. The document.domain thing only applies to a shorter DOMAIN, I am pretty sure. It does NOT apply to a different protocol. Just put both halves of your app in the same protocol/domain so you don't violate the policy? You can still put a non https redirect page at the http location, but it should just immediately redirect and then load your app after it redirects. The redirect page shouldn't load the app and then try to make a request to https and then get redirected (if I understand correctly what you are saying). Try it will all https first, make sure that works, then try to make a redirect page (not a forward) that moves people that come in to the http domain over to https (if it's really a redirect, it should tell the browser to make a NEW request for the https resource, where the app is, and it all should fly). On Oct 2, 3:19 pm, "seven.reeds" <[EMAIL PROTECTED]> wrote: > Hi, > > I am running GWT 1.5.2 under linux with an Apache web server. > > There are a couple of things here. First, I have been developing an > app using a plain "http:" protocol. This app will replace an existing > app. The existing cgi app allows users to go to "http://..."; or > "https://...";. If the user comes in with the non-ssl version then > they are redirected to the ssl version. Again, this is existing > behaviour. > > In the past several minutes I have tried accessing the GWT replacement > app through ssl. I get the Same Origins" violation pop-up. > > With Opera (9.52) I get the pop-up and a blank page. In FireFox > (3.0.3) I get the pop-up but the operation completes. You would think > that FF would not allow the response to happen... right? > > Ok, now for the second thing. How can I make the non-ssl -> ssl > protocol switch and not break the Same Origins rules? I have read > several threads here about the basic topic and have > seen:http://developer.mozilla.org/En/Same_origin_policy_for_JavaScriptand > talk about setting "document.location='my.doman.com';" > > If I put the document.location assignment in <script> tags in the GWT > app's base html file then Opera just gives me a blank page and FireBug > in FF complains about not having permission to access > document.location. I have taken out the script tags. > > Most recently I thought that since GWT is a client-side thing that i > would just make the redirect happen on the server-side. I did that > thinking that the server would change the URL for me and that the > client would only see the ssl'd version. No joy. > > what else...? The GWT app is making a request to a plain old perl CGI > script. > > ideas? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
