[Mulgara-general] CORS headers

Gregg Reynolds dev at mobileink.com
Thu Sep 10 12:31:00 UTC 2009


Once I've done a little more experimenting with configurations I'll submit a
patch, but in the meantime, in case anybody is interested, here's what you
need to do to set the Access-Control-Allow-Origin header, per the CORS
spec<http://www.w3.org/TR/cors/>.
In src/jar/querylang/java/org/mulgara/protocol/http/ProtocolServlet.java
stick something like the following in doGet:

      String CORS_Origin = req.getHeader("Origin");
      if (CORS_Origin.startsWith("http://localhost") ||
CORS_Origin.startsWith("null")) {
      resp.setHeader("Access-Control-Allow-Origin", CORS_Origin);
      }

My interpretation is that without this header, FF 3.5 will interpret an
XMLHttpRequest from a page served from localhost to localhost:8080/sparql/
as a cross-site attack and ignore the response body.  This code seems to do
the trick for me, at least for the SPARQL endpoint.   So long as I'm going
through a local webserver, that is; if I just load the html file in the
browser and send an XMLHttpRequest to Mulgara it still doesn't work, even
though the Access-Control-Allow-Origin header is set to null.

-gregg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mulgara.org/pipermail/mulgara-general/attachments/20090910/9af2beee/attachment.htm>


More information about the Mulgara-general mailing list