Its because of same origin policy enforced by browsers and not because of 
cross site scripting (which is an attack).

If you don't want to make your REST service JSONP compatible and you don't 
want to use CORS headers then you must make sure that your GWT app can 
access the REST service through the same domain/origin that the GWT app is 
served from. Usually you can do that by configuring a reverse proxy on 
http://gwt-domain.com that redirects your GWT server requests from 
http://gwt-domain.com/api/* to http://rest-backend.com/* or similar.

Such a proxy also gives you the freedom to move your backend to other 
locations without updating the GWT app itself. We use NGINX as such a proxy.

The only other alternative is that the GWT app makes requests to a servlet 
running on the host that serves the GWT app and that servlet then makes a 
request to the REST backend. So that servlet then also acts as a proxy. For 
example you could install such a servlet on http://gwt-domain.com/api/*

-- J.

-- 
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

Reply via email to