Jun -
That is a nice link you found. It says it was last updated January 2010. I am
surprised that I hadn't read it before. There is a lot of information there
which seems to be contrary to my personal experience. There may be a trick or
detail that is unclear or missing.
Working with iOS 3.2 and 4.1, and the 3.2.2 for the iPad, I have never been
able
to get a response from XMLHttpRequest if I specified any domain at all. In
particular, I do not see the request show up in the Apache Server logs. I do
not see how the cross-site operation can be dependent on a server response, if
the server never gets the request. Obviously, I am missing something here.
Maybe some subtle header in the request is required to make iOS send it in the
first place. Just not too clear to my tiny brain.
Also, the security issue has to do with forging cookies and pages on look-alike
web sites. It is more of a browser issue than a server-side concern. I
presume
from the documentation that the browser is sending an "Origin: ..." header
filled in from the URL of the current page. (But maybe you have to put it there
yourself??) The Server is expected to send back a matching
"Access-Control-Allow-Origin: ..." header in the response. This is all very
twisty, and I am not sure it really solves the problem it claims to.... It
seems to me that the security is far too tangled up in the browser being well
behaved. If the browser were capable of lying to the server, enabling ANY
cross-site origin feature on the server would be opening the door to disaster.
They probably expect all of these concerns to be handled by the credential
mechanism, though.
My suggestion: just make sure the web page and the XML request go to the same
server, and leave off any domain in the GET.
-----
For your entertainment, you might look at
http://wisen.us/pricecalc
which is a little toy that I did a while back, when I first waded through all
these issues. It uses the XML gimmick to get currency conversions from the
same
server. It is a pure HTML/CSS/JavaScript implementation that you can look at
in
your browser.
Brian
________________________________
From: jun <[email protected]>
To: iPhoneWebDev <[email protected]>
Sent: Tue, November 2, 2010 9:06:58 PM
Subject: Re: not access to webservice from safari
Hi all, Thanks so much.
I read this apple page about "Using XMLHttpRequest for Cross-Site
Requests".
http://developer.apple.com/library/safari/#documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html#//apple_ref/doc/uid/TP40006227-SW1
And I searched for "XMLHttpRequest Level2" by google.
It seems to able to use XMLHttpReqest for cross-site requests.
So as to do so, response header "Access-Control-Allow-Origin" must be
sent by the remote web server.
I implemented this header on my server-side program, but xhr didn't
work and error was throwed.
jun
--
You received this message because you are subscribed to the Google Groups
"iPhoneWebDev" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/iphonewebdev?hl=en.
--
You received this message because you are subscribed to the Google Groups
"iPhoneWebDev" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/iphonewebdev?hl=en.
