Access Control Allow Origin

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Access Control Allow Origin

Tyler Palsulich
Hi Folks,

I took a stab at creating an example website to submit a file to the form
resource of our VM. See http://tpalsulich.github.io/TikaExamples/.

If I try to use AJAX to submit the request to make the page prettier (see
the script in the head of the page (with ev.preventDefault() commented
out), I get the following error:

XMLHttpRequest cannot load http://162.242.228.174:9998/tika/form. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://tpalsulich.github.io' is therefore not allowed access. The
response had HTTP status code 400.

We can't allow the tika-server response header to accept "*" in general,
since that isn't secure. So, would there be interest in including this sort
of site on the VM? Then, the AJAX request won't be external and we won't
have this error.

The version button just takes you to the version resource on the VM
(doesn't do anything with the file).

Tyler
Reply | Threaded
Open this post in threaded view
|

Re: Access Control Allow Origin

Sergey Beryozkin
Hi,
Can this CXF filter help ? :

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java;h=5c15836ca717b45ce832c5f80d8d766121f2216a;hb=HEAD

Annotations based approach is also possible.
May be a -cors option can be passed to Tika Server which will react to
it by registering a CORS filter setup with the custom CORS properties ?

Sergey
On 24/03/15 22:41, Tyler Palsulich wrote:

> Hi Folks,
>
> I took a stab at creating an example website to submit a file to the form
> resource of our VM. See http://tpalsulich.github.io/TikaExamples/.
>
> If I try to use AJAX to submit the request to make the page prettier (see
> the script in the head of the page (with ev.preventDefault() commented
> out), I get the following error:
>
> XMLHttpRequest cannot load http://162.242.228.174:9998/tika/form. No
> 'Access-Control-Allow-Origin' header is present on the requested resource.
> Origin 'http://tpalsulich.github.io' is therefore not allowed access. The
> response had HTTP status code 400.
>
> We can't allow the tika-server response header to accept "*" in general,
> since that isn't secure. So, would there be interest in including this sort
> of site on the VM? Then, the AJAX request won't be external and we won't
> have this error.
>
> The version button just takes you to the version resource on the VM
> (doesn't do anything with the file).
>
> Tyler
>

Reply | Threaded
Open this post in threaded view
|

Re: Access Control Allow Origin

Mattmann, Chris A (3010)
In reply to this post by Tyler Palsulich


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Chris Mattmann, Ph.D.
Chief Architect
Instrument Software and Science Data Systems Section (398)
NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA
Office: 168-519, Mailstop: 168-527
Email: [hidden email]
WWW:  http://sunset.usc.edu/~mattmann/
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Adjunct Associate Professor, Computer Science Department
University of Southern California, Los Angeles, CA 90089 USA
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++






-----Original Message-----
From: Tyler Palsulich <[hidden email]>
Reply-To: "[hidden email]" <[hidden email]>
Date: Tuesday, March 24, 2015 at 3:41 PM
To: "[hidden email]" <[hidden email]>
Subject: Access Control Allow Origin

>Hi Folks,
>
>I took a stab at creating an example website to submit a file to the form
>resource of our VM. See http://tpalsulich.github.io/TikaExamples/.
>
>If I try to use AJAX to submit the request to make the page prettier (see
>the script in the head of the page (with ev.preventDefault() commented
>out), I get the following error:
>
>XMLHttpRequest cannot load http://162.242.228.174:9998/tika/form. No
>'Access-Control-Allow-Origin' header is present on the requested resource.
>Origin 'http://tpalsulich.github.io' is therefore not allowed access. The
>response had HTTP status code 400.
>
>We can't allow the tika-server response header to accept "*" in general,
>since that isn't secure. So, would there be interest in including this
>sort
>of site on the VM? Then, the AJAX request won't be external and we won't
>have this error.
>
>The version button just takes you to the version resource on the VM
>(doesn't do anything with the file).
>
>Tyler

Reply | Threaded
Open this post in threaded view
|

Re: Access Control Allow Origin

Tyler Palsulich
Thank you, Sergey! I didn't know about that feature. I am going to try to
work up a patch this weekend which enables CORS. I'll let you know if I run
into any issues.

Thanks again,
Tyler

On Thu, Mar 26, 2015 at 2:39 AM, Mattmann, Chris A (3980) <
[hidden email]> wrote:

>
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Chris Mattmann, Ph.D.
> Chief Architect
> Instrument Software and Science Data Systems Section (398)
> NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA
> Office: 168-519, Mailstop: 168-527
> Email: [hidden email]
> WWW:  http://sunset.usc.edu/~mattmann/
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Adjunct Associate Professor, Computer Science Department
> University of Southern California, Los Angeles, CA 90089 USA
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
>
>
>
>
> -----Original Message-----
> From: Tyler Palsulich <[hidden email]>
> Reply-To: "[hidden email]" <[hidden email]>
> Date: Tuesday, March 24, 2015 at 3:41 PM
> To: "[hidden email]" <[hidden email]>
> Subject: Access Control Allow Origin
>
> >Hi Folks,
> >
> >I took a stab at creating an example website to submit a file to the form
> >resource of our VM. See http://tpalsulich.github.io/TikaExamples/.
> >
> >If I try to use AJAX to submit the request to make the page prettier (see
> >the script in the head of the page (with ev.preventDefault() commented
> >out), I get the following error:
> >
> >XMLHttpRequest cannot load http://162.242.228.174:9998/tika/form. No
> >'Access-Control-Allow-Origin' header is present on the requested resource.
> >Origin 'http://tpalsulich.github.io' is therefore not allowed access. The
> >response had HTTP status code 400.
> >
> >We can't allow the tika-server response header to accept "*" in general,
> >since that isn't secure. So, would there be interest in including this
> >sort
> >of site on the VM? Then, the AJAX request won't be external and we won't
> >have this error.
> >
> >The version button just takes you to the version resource on the VM
> >(doesn't do anything with the file).
> >
> >Tyler
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Access Control Allow Origin

Sergey Beryozkin
Hi Tyler

Sorry for a delay, I was off for the last few days,
The change you did looks fine, the filter can check the annotations or
can be configured directly (which is what you did).
It might make sense to consider checking a (Java) properties resource as
a possible future enhancement, as a CORS filter may have many properties,
May be if a '-cors' is provided then check a well-known class resource
where all of the cors properties are set, if it is absent - default to
'*' otherwise work with Properties...
The current approach works too, might be tricky to extend it to support
more properties but great for a start

Thanks, Sergey




On 27/03/15 18:56, Tyler Palsulich wrote:

> Thank you, Sergey! I didn't know about that feature. I am going to try to
> work up a patch this weekend which enables CORS. I'll let you know if I run
> into any issues.
>
> Thanks again,
> Tyler
>
> On Thu, Mar 26, 2015 at 2:39 AM, Mattmann, Chris A (3980) <
> [hidden email]> wrote:
>
>>
>>
>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> Chris Mattmann, Ph.D.
>> Chief Architect
>> Instrument Software and Science Data Systems Section (398)
>> NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA
>> Office: 168-519, Mailstop: 168-527
>> Email: [hidden email]
>> WWW:  http://sunset.usc.edu/~mattmann/
>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> Adjunct Associate Professor, Computer Science Department
>> University of Southern California, Los Angeles, CA 90089 USA
>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: Tyler Palsulich <[hidden email]>
>> Reply-To: "[hidden email]" <[hidden email]>
>> Date: Tuesday, March 24, 2015 at 3:41 PM
>> To: "[hidden email]" <[hidden email]>
>> Subject: Access Control Allow Origin
>>
>>> Hi Folks,
>>>
>>> I took a stab at creating an example website to submit a file to the form
>>> resource of our VM. See http://tpalsulich.github.io/TikaExamples/.
>>>
>>> If I try to use AJAX to submit the request to make the page prettier (see
>>> the script in the head of the page (with ev.preventDefault() commented
>>> out), I get the following error:
>>>
>>> XMLHttpRequest cannot load http://162.242.228.174:9998/tika/form. No
>>> 'Access-Control-Allow-Origin' header is present on the requested resource.
>>> Origin 'http://tpalsulich.github.io' is therefore not allowed access. The
>>> response had HTTP status code 400.
>>>
>>> We can't allow the tika-server response header to accept "*" in general,
>>> since that isn't secure. So, would there be interest in including this
>>> sort
>>> of site on the VM? Then, the AJAX request won't be external and we won't
>>> have this error.
>>>
>>> The version button just takes you to the version resource on the VM
>>> (doesn't do anything with the file).
>>>
>>> Tyler
>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Access Control Allow Origin

Tyler Palsulich
Thank you for the feedback!

I think there's an issue (don't remember the number) to be able to specify
a TikaConfig file for tika-server. So, I think that would be the ideal
place to put more complex CORS configuration.

Tyler

On Wed, Apr 1, 2015 at 6:02 AM, Sergey Beryozkin <[hidden email]>
wrote:

> Hi Tyler
>
> Sorry for a delay, I was off for the last few days,
> The change you did looks fine, the filter can check the annotations or can
> be configured directly (which is what you did).
> It might make sense to consider checking a (Java) properties resource as a
> possible future enhancement, as a CORS filter may have many properties,
> May be if a '-cors' is provided then check a well-known class resource
> where all of the cors properties are set, if it is absent - default to '*'
> otherwise work with Properties...
> The current approach works too, might be tricky to extend it to support
> more properties but great for a start
>
> Thanks, Sergey
>
>
>
>
>
> On 27/03/15 18:56, Tyler Palsulich wrote:
>
>> Thank you, Sergey! I didn't know about that feature. I am going to try to
>> work up a patch this weekend which enables CORS. I'll let you know if I
>> run
>> into any issues.
>>
>> Thanks again,
>> Tyler
>>
>> On Thu, Mar 26, 2015 at 2:39 AM, Mattmann, Chris A (3980) <
>> [hidden email]> wrote:
>>
>>
>>>
>>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>> Chris Mattmann, Ph.D.
>>> Chief Architect
>>> Instrument Software and Science Data Systems Section (398)
>>> NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA
>>> Office: 168-519, Mailstop: 168-527
>>> Email: [hidden email]
>>> WWW:  http://sunset.usc.edu/~mattmann/
>>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>> Adjunct Associate Professor, Computer Science Department
>>> University of Southern California, Los Angeles, CA 90089 USA
>>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>
>>>
>>>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Tyler Palsulich <[hidden email]>
>>> Reply-To: "[hidden email]" <[hidden email]>
>>> Date: Tuesday, March 24, 2015 at 3:41 PM
>>> To: "[hidden email]" <[hidden email]>
>>> Subject: Access Control Allow Origin
>>>
>>>  Hi Folks,
>>>>
>>>> I took a stab at creating an example website to submit a file to the
>>>> form
>>>> resource of our VM. See http://tpalsulich.github.io/TikaExamples/.
>>>>
>>>> If I try to use AJAX to submit the request to make the page prettier
>>>> (see
>>>> the script in the head of the page (with ev.preventDefault() commented
>>>> out), I get the following error:
>>>>
>>>> XMLHttpRequest cannot load http://162.242.228.174:9998/tika/form. No
>>>> 'Access-Control-Allow-Origin' header is present on the requested
>>>> resource.
>>>> Origin 'http://tpalsulich.github.io' is therefore not allowed access.
>>>> The
>>>> response had HTTP status code 400.
>>>>
>>>> We can't allow the tika-server response header to accept "*" in general,
>>>> since that isn't secure. So, would there be interest in including this
>>>> sort
>>>> of site on the VM? Then, the AJAX request won't be external and we won't
>>>> have this error.
>>>>
>>>> The version button just takes you to the version resource on the VM
>>>> (doesn't do anything with the file).
>>>>
>>>> Tyler
>>>>
>>>
>>>
>>>
>>
>
Reply | Threaded
Open this post in threaded view
|

RE: Access Control Allow Origin

Allison, Timothy B.
Might be thinking of TIKA-944?

Mind if we switch the CORS short option to -C and use "-c" for the tika config file?

-----Original Message-----
From: Tyler Palsulich [mailto:[hidden email]]
Sent: Wednesday, April 01, 2015 11:13 AM
To: [hidden email]
Subject: Re: Access Control Allow Origin

Thank you for the feedback!

I think there's an issue (don't remember the number) to be able to specify
a TikaConfig file for tika-server. So, I think that would be the ideal
place to put more complex CORS configuration.

Tyler

On Wed, Apr 1, 2015 at 6:02 AM, Sergey Beryozkin <[hidden email]>
wrote:

> Hi Tyler
>
> Sorry for a delay, I was off for the last few days,
> The change you did looks fine, the filter can check the annotations or can
> be configured directly (which is what you did).
> It might make sense to consider checking a (Java) properties resource as a
> possible future enhancement, as a CORS filter may have many properties,
> May be if a '-cors' is provided then check a well-known class resource
> where all of the cors properties are set, if it is absent - default to '*'
> otherwise work with Properties...
> The current approach works too, might be tricky to extend it to support
> more properties but great for a start
>
> Thanks, Sergey
>
>
>
>
>
> On 27/03/15 18:56, Tyler Palsulich wrote:
>
>> Thank you, Sergey! I didn't know about that feature. I am going to try to
>> work up a patch this weekend which enables CORS. I'll let you know if I
>> run
>> into any issues.
>>
>> Thanks again,
>> Tyler
>>
>> On Thu, Mar 26, 2015 at 2:39 AM, Mattmann, Chris A (3980) <
>> [hidden email]> wrote:
>>
>>
>>>
>>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>> Chris Mattmann, Ph.D.
>>> Chief Architect
>>> Instrument Software and Science Data Systems Section (398)
>>> NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA
>>> Office: 168-519, Mailstop: 168-527
>>> Email: [hidden email]
>>> WWW:  http://sunset.usc.edu/~mattmann/
>>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>> Adjunct Associate Professor, Computer Science Department
>>> University of Southern California, Los Angeles, CA 90089 USA
>>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>
>>>
>>>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Tyler Palsulich <[hidden email]>
>>> Reply-To: "[hidden email]" <[hidden email]>
>>> Date: Tuesday, March 24, 2015 at 3:41 PM
>>> To: "[hidden email]" <[hidden email]>
>>> Subject: Access Control Allow Origin
>>>
>>>  Hi Folks,
>>>>
>>>> I took a stab at creating an example website to submit a file to the
>>>> form
>>>> resource of our VM. See http://tpalsulich.github.io/TikaExamples/.
>>>>
>>>> If I try to use AJAX to submit the request to make the page prettier
>>>> (see
>>>> the script in the head of the page (with ev.preventDefault() commented
>>>> out), I get the following error:
>>>>
>>>> XMLHttpRequest cannot load http://162.242.228.174:9998/tika/form. No
>>>> 'Access-Control-Allow-Origin' header is present on the requested
>>>> resource.
>>>> Origin 'http://tpalsulich.github.io' is therefore not allowed access.
>>>> The
>>>> response had HTTP status code 400.
>>>>
>>>> We can't allow the tika-server response header to accept "*" in general,
>>>> since that isn't secure. So, would there be interest in including this
>>>> sort
>>>> of site on the VM? Then, the AJAX request won't be external and we won't
>>>> have this error.
>>>>
>>>> The version button just takes you to the version resource on the VM
>>>> (doesn't do anything with the file).
>>>>
>>>> Tyler
>>>>
>>>
>>>
>>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Access Control Allow Origin

Tyler Palsulich
I'll change the option to -C right now. Just looked closer -- TIKA-1426 is
to provide a config for the server and app on the command line.

Tyler

On Wed, Apr 1, 2015 at 11:22 AM, Allison, Timothy B. <[hidden email]>
wrote:

> Might be thinking of TIKA-944?
>
> Mind if we switch the CORS short option to -C and use "-c" for the tika
> config file?
>
> -----Original Message-----
> From: Tyler Palsulich [mailto:[hidden email]]
> Sent: Wednesday, April 01, 2015 11:13 AM
> To: [hidden email]
> Subject: Re: Access Control Allow Origin
>
> Thank you for the feedback!
>
> I think there's an issue (don't remember the number) to be able to specify
> a TikaConfig file for tika-server. So, I think that would be the ideal
> place to put more complex CORS configuration.
>
> Tyler
>
> On Wed, Apr 1, 2015 at 6:02 AM, Sergey Beryozkin <[hidden email]>
> wrote:
>
> > Hi Tyler
> >
> > Sorry for a delay, I was off for the last few days,
> > The change you did looks fine, the filter can check the annotations or
> can
> > be configured directly (which is what you did).
> > It might make sense to consider checking a (Java) properties resource as
> a
> > possible future enhancement, as a CORS filter may have many properties,
> > May be if a '-cors' is provided then check a well-known class resource
> > where all of the cors properties are set, if it is absent - default to
> '*'
> > otherwise work with Properties...
> > The current approach works too, might be tricky to extend it to support
> > more properties but great for a start
> >
> > Thanks, Sergey
> >
> >
> >
> >
> >
> > On 27/03/15 18:56, Tyler Palsulich wrote:
> >
> >> Thank you, Sergey! I didn't know about that feature. I am going to try
> to
> >> work up a patch this weekend which enables CORS. I'll let you know if I
> >> run
> >> into any issues.
> >>
> >> Thanks again,
> >> Tyler
> >>
> >> On Thu, Mar 26, 2015 at 2:39 AM, Mattmann, Chris A (3980) <
> >> [hidden email]> wrote:
> >>
> >>
> >>>
> >>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >>> Chris Mattmann, Ph.D.
> >>> Chief Architect
> >>> Instrument Software and Science Data Systems Section (398)
> >>> NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA
> >>> Office: 168-519, Mailstop: 168-527
> >>> Email: [hidden email]
> >>> WWW:  http://sunset.usc.edu/~mattmann/
> >>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >>> Adjunct Associate Professor, Computer Science Department
> >>> University of Southern California, Los Angeles, CA 90089 USA
> >>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: Tyler Palsulich <[hidden email]>
> >>> Reply-To: "[hidden email]" <[hidden email]>
> >>> Date: Tuesday, March 24, 2015 at 3:41 PM
> >>> To: "[hidden email]" <[hidden email]>
> >>> Subject: Access Control Allow Origin
> >>>
> >>>  Hi Folks,
> >>>>
> >>>> I took a stab at creating an example website to submit a file to the
> >>>> form
> >>>> resource of our VM. See http://tpalsulich.github.io/TikaExamples/.
> >>>>
> >>>> If I try to use AJAX to submit the request to make the page prettier
> >>>> (see
> >>>> the script in the head of the page (with ev.preventDefault() commented
> >>>> out), I get the following error:
> >>>>
> >>>> XMLHttpRequest cannot load http://162.242.228.174:9998/tika/form. No
> >>>> 'Access-Control-Allow-Origin' header is present on the requested
> >>>> resource.
> >>>> Origin 'http://tpalsulich.github.io' is therefore not allowed access.
> >>>> The
> >>>> response had HTTP status code 400.
> >>>>
> >>>> We can't allow the tika-server response header to accept "*" in
> general,
> >>>> since that isn't secure. So, would there be interest in including this
> >>>> sort
> >>>> of site on the VM? Then, the AJAX request won't be external and we
> won't
> >>>> have this error.
> >>>>
> >>>> The version button just takes you to the version resource on the VM
> >>>> (doesn't do anything with the file).
> >>>>
> >>>> Tyler
> >>>>
> >>>
> >>>
> >>>
> >>
> >
>