Hi
Thank you for the response and the food for though it has provided
regarding the use of a proxy of some sort as a 'get around'.
After all this time, I would have thought that some progress would have
been made to allow cross-domain resource access that respects a balance of
functionality requirement and security. Perhaps it is a little more risky
and troublesome than I can imagine.
I will give your suggestion some thought. Thank you again.
Habs
On 10 October 2016 at 21:38, C. M. Sperberg-McQueen <
cms...@blackmesatech.com> wrote:
>
> > On Oct 10, 2016, at 6:23 AM, b...@shroggslodge.freeserve.co.uk wrote:
> >
> > Hello xsltforms-support@
> >
> > I think I understand correctly that it is not allowed to POST/PUT a
> resource to a domain other than the one the xform was loaded from.
> >
> > Is it possible to GET a resource from a different domain to the one the
> xform was loaded from please?
>
> If it is, I haven’t figured out how. (There may be ways to set the
> browser configuration to allow it, but I haven’t figured out how to do
> it for myself, let alone explain to users what they would have to do.
> You may have better luck in that regard.)
>
> In my experience, dealing with the Same-Origin policy in the
> browser is one of the most challenging issues in deploying XForms
> solutions. (Challenging in part because it seems to be hard to
> get clear accurate information about what exactly browsers do
> and don’t allow, and challenging because for those not actively
> engaged in security work the restrictions often appear arbitrary,
> capricious, and unmotivated. I have been told on good authority
> that they really aren’t, but it’s hard to believe that, given that the
> browser vendors don’t enforce similar constraints against
> Javascript.)
>
> What I end up doing is configuring Apache on my server to work
> as a proxy server, and specifying in the .htaccess configuration
> file for a particular directory that if the user requests resource
> XYZ/W/VU.xml from that directory, the server should fetch
> http://ww.otherserver.example.com/W/XYZ/VU.xml (or whatever)
> and send it to the client.
>
> In shared hosting environments, the service provider sometimes
> won’t allow using Apache as a proxy; in that case, I write a simple
> bash or PHP script to do essentially the same thing (taking care to
> serve a clearly identified set of URIs from a clearly identified
> originating host, to try to minimize whatever security exposure there
> is in such a proxy service).
>
> I hope this helps.
>
>
> C. M. Sperberg-McQueen
> Black Mesa Technologies LLC
> cms...@blackmesatech.com
> http://www.blackmesatech.com
>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Xsltforms-support mailing list
Xsltforms-support@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xsltforms-support