I think the SOP check should be made as a warning instead of an error. Developers want control over their development environment. We don't want to be forced to use the noserver mode if we want to configure our own backend server. I've been using the "SOP hack" since GWT inception in 2006 and have been able to work quite efficiently until the release of 1.5.3.
The noserver mode is less efficient compared to the embedded tomcat mode because: (a) Any changes to images, including ImageBundle, require copying the resources over. (b) Any new classes defined in the RPC requires copying the *.rpc over (c) In effect, any changes to public resources like css, etc. requires copying over. (d) At times for which I do not need to test with backend RPC, I can simply startup the embedded tomcat hosted mode to work on the client side. This is light weight. In noserve mode, I'm forced to startup the entire backend server. This often includes initializing a whole bunch of resources like Spring, Hibernate, etc. which is heavy weight and unnecessary for pure client side testing. I hope I've given enough reasons to make SOP check a warning instead of an error. Please give developers who know what they're doing an option to optimize their development environment. On Thu, Oct 23, 2008 at 9:02 AM, Sumit Chandel <[EMAIL PROTECTED]>wrote: > Hey everyone, > I actually misspoke about what the -whitelist argument actually does. > Apologies in advance for the confusion. > > As it turns out, the -whitelist argument is used to prevent the embedded > browser in hosted mode from popping up dialog boxes when you visit a page > that matches the specified whitelisted URL. There isn't actually a way > around SOP as it is still enforced by the embedded browser. > > The way around the problem is to use hosted mode with the -noserver option > and to setup your own proxy as you would in production for cross-site > communication. The other alternative is to use JSONP for cross-site > communication, a technique which is very well described in Dan Morrill's > article linked below. > > Using GWT for JSON Mashups: > > http://code.google.com/docreader/#p=google-web-toolkit-doc-1-5&s=google-web-toolkit-doc-1-5&t=Article_UsingGWTForJSONMashups > > Hope that helps, > -Sumit Chandel > > On Wed, Oct 22, 2008 at 7:49 AM, Brian <[EMAIL PROTECTED]> wrote: > >> >> Yeah, I couldn't figure out a -whitelist that would work either, so am >> now also doing -noserver. >> I also had imagebundle issues, but didn't bother tracking it down, I >> just copied everything over to the directory where my server serves >> content. Wow -noserver is slow. Not sure if it's because I've copied >> everything over, or what. I don't have time yet to track this down. >> >> >> On Oct 22, 9:52 am, JY <[EMAIL PROTECTED]> wrote: >> > Same problem here. I had no luck with the whitelist parameter. Used >> > the exact same parameters as Brian:- -whitelist "^http[:][/] >> > [/]localhost[:]8080[/]" . Any suggestions? >> > >> > This forced me to use the -noserver option, but created yet another >> > problem for me. In the -noserver mode, my ImageBundles do not work in >> > hosted. I've started a thread here but no reply so far:- >> http://groups.google.com/group/Google-Web-Toolkit/browse_thread/threa... >> > >> > On Oct 22, 7:59 am, Brian <[EMAIL PROTECTED]> wrote: >> > >> > > Yeah, and it was really handy that it did let them through, as IE also >> > > lets the URLs through in web mode (if you've enabled it in IE's >> > > internet options). Great for testing. >> > >> > > I wasn't able to get a -whitelist option to work with 1.5.3 and hosted >> > > mode. Here's what I'm using: >> > > -whitelist "^http[:][/][/]localhost[:]8080[/]" >> > >> > > Any suggestions on the -whitelist to use to get the above posted code >> > > to work in 1.5.3 hosted mode? >> > >> > > Thanks. >> > >> > > On Oct 21, 7:40 pm, "Sumit Chandel" <[EMAIL PROTECTED]> wrote: >> > >> > > > Hello again, >> > > > As it turns out, the SOP warning message that hosted mode issues >> when trying >> > > > to make the request tohttp://localhost:8080/v1in1.5.3is an >> improvement >> > > > over 1.5.2. >> > >> > > > The embedded Tomcat server in hosted mode is actually running on >> port 8888, >> > > > so a request to port 8080 does indeed violate SOP and should not be >> allowed >> > > > to go through. In 1.5.2, it seems that hosted mode was still >> allowing >> > > > requests on different ports to go through, which is actually >> incorrect >> > > > behaviour that looks to now be fixed in 1.5.3. >> > >> > > > Hope that helps, >> > > > -Sumit Chandel >> > >> > > > On Tue, Oct 21, 2008 at 3:37 PM, Sumit Chandel < >> [EMAIL PROTECTED]>wrote: >> > >> > > > > Hello everyone, >> > >> > > > > Hosted mode does indeed respect SOP so as to closely reflect what >> your >> > > > > application would look like running in a deployed environment as >> you >> > > > > debug. You can pass in a -whitelist for specific cross-site URLs >> that >> > > > > you want to communicate with, but that should only be used for >> quick >> > > > > debug cycles to make sure that SOP problems aren't something that >> you >> > > > > forget about and get stuck on at the web mode testing or >> production >> > > > > stage. >> > >> > > > > That said, Brian's code snippet doesn't seem to suggest to be >> making a >> > > > > cross-site request, and so should work. I'm trying to reproduce >> this >> > > > > now to figure out what's going on. >> > >> > > > > Thanks, >> > > > > -Sumit Chandel >> > >> > > > > On Oct 21, 8:08 am, Alex Rice <[EMAIL PROTECTED]> wrote: >> > > > > > I hope someone can clarify this. I thought Hosted Mode did have >> the >> > > > > > SOP restriction and I'm pretty sure I did some testing with >> > > > > > RequestBuilder in 1.5.1 or 1.5.2 and saw the SOP restrictions. >> Being >> > > > > > new to GWT I thought this was just by design. I sure would be >> > > > > > convenient if hosted mode did not obey the SOP! >> > >> > > > > > Alex >> > >> > > > > > On Oct 21, 8:36 am, JY <[EMAIL PROTECTED]> wrote: >> > >> > > > > > > I'm hitting the same problem with 1.5.3 as well. Now, I'm >> forced to >> > > > > > > use the -noserver mode. I hope that same policy origin check >> can be >> > > > > > > removed from the latest build. >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
