Skip to content
This repository has been archived by the owner. It is now read-only.

Cross domain queries in Web browsers #466

Closed
macosforgebot opened this issue Oct 31, 2011 · 6 comments
Closed

Cross domain queries in Web browsers #466

macosforgebot opened this issue Oct 31, 2011 · 6 comments

Comments

@macosforgebot
Copy link

@macosforgebot macosforgebot commented Oct 31, 2011

jan.mate@… originally submitted this as ticket:468


It is impossible to access the calendarserver from javascript due to cross domain security limitations in modern browsers. To allow cross domain queries from javascript based caldav/carddav clients it is important to add several new headers to each response (see http://www.w3.org/TR/cors/).

For example, to use my CardDavMATE client (fully javascript based) the user must patch the calendarserver (see the included patch).

@macosforgebot
Copy link
Author

@macosforgebot macosforgebot commented Oct 31, 2011

jan.mate@… originally submitted this as attachment:calendarserver_CardDavMATE.diff:⁠ticket:468

@macosforgebot
Copy link
Author

@macosforgebot macosforgebot commented Dec 1, 2011

@wsanchez originally submitted this as comment:1:⁠ticket:468

  • Owner changed from @wsanchez to @glyph
  • Milestone set to CalendarServer-3.x

@macosforgebot
Copy link
Author

@macosforgebot macosforgebot commented Dec 1, 2011

@wsanchez originally submitted this as comment:2:⁠ticket:468


I hate web browsers…

I'm not sure the web2/server.py is appropriate… I assume these values aren't correct for all servers, or you wouldn't need these headers in the first place. Certainly the allowed methods list needs to correspond to what's allowed on the resource being requested.

@macosforgebot
Copy link
Author

@macosforgebot macosforgebot commented Sep 26, 2012

@wsanchez originally submitted this as comment:3:⁠ticket:468

  • Milestone changed from CalendarServer-3.x to Later

@macosforgebot
Copy link
Author

@macosforgebot macosforgebot commented Sep 26, 2012

jan.mate@… originally submitted this as comment:4:⁠ticket:468


Replying to wsanchez@…:

I hate web browsers…

I'm not sure the web2/server.py is appropriate… I assume these values aren't correct for all servers, or you wouldn't need these headers in the first place. Certainly the allowed methods list needs to correspond to what's allowed on the resource being requested.

Sorry for the late response ... you are right - my patch is not 100% correct (but it works) ... according the http://www.w3.org/TR/cors/#resource-preflight-requests the good solution is:

  • if there is a Access-Control-Request-Method header
  • and the request is OPTIONS
  • then the request is PREFLIGHT request (without authentication) and needs special response (headers from my patch) with 200 code

@macosforgebot
Copy link
Author

@macosforgebot macosforgebot commented Mar 27, 2015

@wsanchez originally submitted this as comment:24:⁠ticket:468

  • Status changed from new to closed
  • Resolution set to Not to be fixed

Expiring old bugs with unknown state and impact.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant