> On Oct 10, 2016, at 6:23 AM, b...@shroggslodge.freeserve.co.uk wrote:
> Hello xsltforms-support@
> I think I understand correctly that it is not allowed to POST/PUT a resource 
> to a domain other than the one the xform was loaded from.
> Is it possible to GET a resource from a different domain to the one the xform 
> was loaded from please?

If it is, I haven’t figured out how.  (There may be ways to set the
browser configuration to allow it, but I haven’t figured out how to do
it for myself, let alone explain to users what they would have to do.
You may have better luck in that regard.)

In my experience, dealing with the Same-Origin policy in the 
browser is one of the most challenging issues in deploying XForms
solutions.   (Challenging in part because it seems to be hard to 
get clear accurate information about what exactly browsers do 
and don’t allow, and challenging because for those not actively
engaged in security work the restrictions often appear arbitrary,
capricious, and unmotivated.  I have been told on good authority
that they really aren’t, but it’s hard to believe that, given that the
browser vendors don’t enforce similar constraints against

What I end up doing is configuring Apache on my server to work
as a proxy server, and specifying in the .htaccess configuration
file for a particular directory that if the user requests resource
XYZ/W/VU.xml from that directory, the server should fetch
http://ww.otherserver.example.com/W/XYZ/VU.xml (or whatever)
and send it to the client.

In shared hosting environments, the service provider sometimes
won’t allow using Apache as a proxy; in that case, I write a simple
bash or PHP script to do essentially the same thing (taking care to
serve a clearly identified set of URIs from a clearly identified 
originating host, to try to minimize whatever security exposure there
is in such a proxy service).

I hope this helps. 

C. M. Sperberg-McQueen
Black Mesa Technologies LLC

Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Xsltforms-support mailing list

Reply via email to