Hi folks, last week I was in a short panic because someone writing a JS client couldn't call my REST service. There were developing on Linux in-house but failing to call my remote office server. To get around this they wrote a local proxy JSP app which sat between them and me, so their scripts were tricked into making local calls. That was a terrible waste of their billable time.
I thought adding Access-Control-Allow-Origin: * would simply unblock everything for everyone, but no. This CORS header worked for me, but the Linux guys asked for 3 more headers, but even that only got us to the next problem where they failed to add a custom request header. They told me that it probably can't be solved on the server side, as the rules are baked into the browsers. And apparently different browser brands have different SOP behaviour. Can anyone confirm what I've said here? Is it worth running more research in the hope I can totally unblock SOP problems? Or will I get lost in a mess of browser implementation quirks and go mad? *Greg*
