Cross domain queries in Web browsers #466

macosforgebot · 2011-10-31T00:38:35Z

jan.mate@… originally submitted this as ticket:468

Owner: @glyph

It is impossible to access the calendarserver from javascript due to cross domain security limitations in modern browsers. To allow cross domain queries from javascript based caldav/carddav clients it is important to add several new headers to each response (see http://www.w3.org/TR/cors/).

For example, to use my CardDavMATE client (fully javascript based) the user must patch the calendarserver (see the included patch).

macosforgebot · 2011-10-31T00:38:58Z

jan.mate@… originally submitted this as attachment:calendarserver_CardDavMATE.diff:⁠ticket:468

Attachment calendarserver_CardDavMATE.diff (2.8 KB) added

macosforgebot · 2011-12-01T01:29:28Z

@wsanchez originally submitted this as comment:1:⁠ticket:468

Owner changed from @wsanchez to @glyph
Milestone set to CalendarServer-3.x

macosforgebot · 2011-12-01T01:38:42Z

@wsanchez originally submitted this as comment:2:⁠ticket:468

I hate web browsers…

I'm not sure the web2/server.py is appropriate… I assume these values aren't correct for all servers, or you wouldn't need these headers in the first place. Certainly the allowed methods list needs to correspond to what's allowed on the resource being requested.

macosforgebot · 2012-09-26T20:31:30Z

@wsanchez originally submitted this as comment:3:⁠ticket:468

Milestone changed from CalendarServer-3.x to Later

macosforgebot · 2012-09-26T20:49:54Z

jan.mate@… originally submitted this as comment:4:⁠ticket:468

Replying to wsanchez@…:

I hate web browsers…

I'm not sure the web2/server.py is appropriate… I assume these values aren't correct for all servers, or you wouldn't need these headers in the first place. Certainly the allowed methods list needs to correspond to what's allowed on the resource being requested.

Sorry for the late response ... you are right - my patch is not 100% correct (but it works) ... according the http://www.w3.org/TR/cors/#resource-preflight-requests the good solution is:

if there is a Access-Control-Request-Method header
and the request is OPTIONS
then the request is PREFLIGHT request (without authentication) and needs special response (headers from my patch) with 200 code

macosforgebot · 2015-03-27T00:29:07Z

@wsanchez originally submitted this as comment:24:⁠ticket:468

Status changed from new to closed
Resolution set to Not to be fixed

Expiring old bugs with unknown state and impact.

macosforgebot closed this as completed Mar 27, 2015

macosforgebot added P3: Important Not to be fixed Other Enhancement labels Sep 29, 2016

macosforgebot added this to the Later milestone Sep 29, 2016

Cross domain queries in Web browsers #466

Cross domain queries in Web browsers #466

macosforgebot commented Oct 31, 2011

macosforgebot commented Oct 31, 2011

macosforgebot commented Dec 1, 2011

macosforgebot commented Dec 1, 2011

macosforgebot commented Sep 26, 2012

macosforgebot commented Sep 26, 2012

macosforgebot commented Mar 27, 2015

Cross domain queries in Web browsers #466

Cross domain queries in Web browsers #466

Comments

macosforgebot commented Oct 31, 2011

macosforgebot commented Oct 31, 2011

macosforgebot commented Dec 1, 2011

macosforgebot commented Dec 1, 2011

macosforgebot commented Sep 26, 2012

macosforgebot commented Sep 26, 2012

macosforgebot commented Mar 27, 2015