AJAX calls to Assets Server are blocked by Web browsers if the Web page that is making the call is not on one of the configured domains. By default, only the server domain is allowed.
Example: If Assets Server is running on http://elvis.yourdomain.com and you want to perform a cross-domain REST search from a Web page hosted on http://www.yourdomain.com, the Web browser will not perform the request.
Note: The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from a different origin. (See mozilla.org: Same-origin policy.)
Cross-domain solutions
There are several techniques you can use to work around the same-origin restrictions imposed by Web browsers. The following techniques are supported by Assets Server.
CORS (Cross-Origin Resource Sharing)
CORS is a technology available in modern Web browsers. It depends on special headers and behavior provided by the Web server that receives the API calls.
The Assets Server supports this kind of behavior and will send the appropriate headers and responses to browsers. When needed, it will respond with an Access-Control-Allow-Origin header.
Restricting domains
To restrict the domains from which calls can be made to the Server, set the following option in the cluster-config.properties.txt file:
- security.accessControlAllowOrigin. Default value: empty.
To add a specific domain, use a comma-separated list of possible values. These values should be lowercase and can contain * as a wildcard which will match any character except dots.
Example: https://example.com,https://www.example.com,https://example.net,https://*.example.org The last entry https://*.example.org will match any subdomain of example.org with the https protocol. However, it does not match https://example.org itself. |
To enable cross-domain requests using jQuery, pass the following to the AJAX call:
$.ajax({
url: a_cross_domain_url,
xhrFields: {
withCredentials: true
}
});
For more information on CORS:
- wikipedia: Cross-origin resource sharing
- w3c: Cross-Origin Resource Sharing
- jQuery.com: jQuery.ajax()
Authentication
In some scenarios, cross-domain calls make it difficult to keep authentication across requests.
Example: Session cookies received through a cross-domain request will be ignored by the Web browser.
URL Request secrets will allow images to be requested, even if the browser has no authenticated session with the server.
Adobe Flash crossdomain.xml
Cross-domain requests from a Flash SWF file to an Assets Server installation on a different domain require a crossdomain.xml file to be placed at the root level of Assets Server.
Because all content on the domain is usually served by Assets Server (unless you use a proxy), we have provided a sample file named '-crossdomain.xml' in the Config folder of Assets Server. To use it, rename the file to 'crossdomain.xml' and change its settings as required.
For more information:
Comment
Do you have corrections or additional information about this article? Leave a comment! Do you have a question about what is described in this article? Please contact Support.
0 comments
Please sign in to leave a comment.