search

jpillora / xdomain

A pure JavaScript CORS alternative
https://jpillora.com/xdomain/
3.12k stars 269 forks source link

XDomain between Google Drive hosted site and Google Apps Script webapp; possible? #129

Closed martinhbramwell closed 9 years ago

martinhbramwell commented 9 years ago

I am trying to use XDomain between a web site I am hosting in Google Drive and a REST service I am building using Google Apps Script. I don't understand enough about CORS, nor about how far Google allows one to customize the server side services: HtmlService, ContentService to try to go that route. I think XDomain may offer a better alternative. On the other hand it may not even be possible. So far I cannot get it to work at all.

The published web site address out of Google Drive will be of the form ...

https://googledrive.com/host/{folder_Id}/index.html

... but causes a redirect to ...

https://{some_server_Id}.googledrive.com/host/{folder_Id}/index.html

The permanent URL for the ContentService REST server in development mode is ...

https://script.google.com/macros/s/{project_id}/dev

... which redirects to ...

https://script.googleusercontent.com/macros/echo?user_content_key={very_long_key}

The permanent production mode URL for the ContentService REST server is ...

https://script.google.com/macros/s/{a_different_project_id}/exec

... which redirects to ...

https://script.googleusercontent.com/macros/echo?user_content_key={a_different_very_long_key}

The "master" web page looks like this :

  <html>
      <head>
          <title>Cross Domain Test Client</title>

          <script src="//cdn.rawgit.com/jpillora/xdomain/0.6.17/dist/xdomain.js" slave="https://script.google.com/macros/s/AKfycby4ei-azV1lAkPEBij0VNFgNsKeH2GQ5jBoM0TnyHai/dev?proxy.html">
            xdomain.debug = true;
          </script>
          <script type="text/javascript" src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>

          <link rel="stylesheet" type="text/css" href="style.css">
      </head>
      <body>
          HTML : OK!
          <div id="msgid">
          </div>
          <script type="text/javascript" src="cross_domain.js"></script>
      </body>
  </html>

cross_domain.js

  $(document).ready(function(){
    $.get('https://script.google.com/macros/s/AKfycby4ei-azV1lAkPEBij0VNFgNsKeH2GQ5jBoM0TnyHai/dev?req=VWxyz').done(function(data) {
      console.log("got result: ", data);
    });    

    $("#msgid").html("JQuery : OK! (V0.3)");
  });

doGet() Handler on the Google Apps Script "slave"

  var xDomainHostKey = '0B6GUFwft5liMcllpRDl3Ukh2bkU';
  var xDomainMaster = '{"https://googledrive.com/host/' + xDomainHostKey + '/index.html": "/dev/*"}';

  var crossDomainProxy = '';
  crossDomainProxy += '<!DOCTYPE HTML>';
  crossDomainProxy += '<script src="//cdn.rawgit.com/jpillora/xdomain/0.6.17/dist/xdomain.min.js"></script>';
  crossDomainProxy += '<script>xdomain.masters(' + xDomainMaster + ');</script>';

  function doGet (url) {

    var rslt = null;
    if (url.parameter['proxy.html'] === '') {
      rslt = ContentService.createTextOutput(crossDomainProxy);
    } else {
      rslt = ContentService.createTextOutput("Got : " + JSON.stringify(url.parameter));
    }
    return rslt;
  }

console.log

   Refused to display 'https://script.googleusercontent.com/macros/echo?user_content_key=xqN42FbZl…l--mI4Ou4nKnNo0s58jdl_kQ7u--hnZjV4WE&lib=Mpr6sMTu-vyU4-2ogrlB4FUOK-x3Ef2zq' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'. 
   xdomain (https://07f8746d8412ea1e55d8287f7e0bc678263da188.googledrive.com): Timeout waiting on iframe socket

Response Headers

  access-control-allow-origin:*
  alternate-protocol:443:quic,p=0.02
  cache-control:no-cache, no-store, max-age=0, must-revalidate
  content-encoding:gzip
  content-type:text/plain; charset=utf-8
  date:Mon, 05 Jan 2015 14:26:39 GMT
  expires:Fri, 01 Jan 1990 00:00:00 GMT
  pragma:no-cache
  server:GSE
  status:200 OK
  version:HTTP/1.1
  x-content-type-options:nosniff
  x-frame-options:SAMEORIGIN
  x-xss-protection:1; mode=block

My question

Am I right that I cannot use XDomain if I cannot change the "x-frame-options" header attribute?

jpillora commented 9 years ago

Thanks for the detailed report, however you are correct, XDomain requires iframes to function. I should add this to the docs.

On Tuesday, January 6, 2015, martinhbramwell notifications@github.com wrote:

I am trying to use XDomain between a web site I am hosting in Google Drive and a REST service I am building using Google Apps Script. I don't understand enough about CORS, nor about how far Google allows one to customize the server side services: HtmlService https://developers.google.com/apps-script/guides/html/, ContentService https://developers.google.com/apps-script/guides/content to try to go that route. I think XDomain may offer a better alternative. On the other hand it may not even be possible. So far I cannot get it to work at all.

The published web site address out of Google Drive will be of the form ...

https://googledrive.com/host/{folder_Id}/index.html

... but causes a redirect to ...

https://{some_server_Id}.googledrive.com/host/{folder_Id}/index.html

The permanent URL for the ContentService REST server in development mode is ...

https://script.google.com/macros/s/{project_id}/dev

... which redirects to ...

https://script.googleusercontent.com/macros/echo?user_content_key={very_long_key}

The permanent production mode URL for the ContentService REST server is ...

https://script.google.com/macros/s/{a_different_project_id}/exec

... which redirects to ...

https://script.googleusercontent.com/macros/echo?user_content_key={a_different_very_long_key}

The "master" web page looks like this :

Cross Domain Test Client ``` HTML : OK!
```

cross_domain.js

$(document).ready(function(){ $.get('https://script.google.com/macros/s/AKfycby4ei-azV1lAkPEBij0VNFgNsKeH2GQ5jBoM0TnyHai/dev?req=VWxyz').done(function(data) { console.log("got result: ", data); });

$("#msgid").html("JQuery : OK! (V0.3)");

});

doGet() Handler on the Google Apps Script "slave"

var xDomainHostKey = '0B6GUFwft5liMcllpRDl3Ukh2bkU'; var xDomainMaster = '{"https://googledrive.com/host/' + xDomainHostKey + '/index.html": "/dev/*"}';

var crossDomainProxy = ''; crossDomainProxy += '<!DOCTYPE HTML>'; crossDomainProxy += ''; crossDomainProxy += '';

function doGet (url) {

var rslt = null;
if (url.parameter['proxy.html'] === '') {
  rslt = ContentService.createTextOutput(crossDomainProxy);
} else {
  rslt = ContentService.createTextOutput("Got : " + JSON.stringify(url.parameter));
}
return rslt;

}

console.log

Refused to display 'https://script.googleusercontent.com/macros/echo?user_content_key=xqN42FbZl…l--mI4Ou4nKnNo0s58jdl_kQ7u--hnZjV4WE&lib=Mpr6sMTu-vyU4-2ogrlB4FUOK-x3Ef2zq' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'. xdomain (https://07f8746d8412ea1e55d8287f7e0bc678263da188.googledrive.com): Timeout waiting on iframe socket

Response Headers

access-control-allow-origin:* alternate-protocol:443:quic,p=0.02 cache-control:no-cache, no-store, max-age=0, must-revalidate content-encoding:gzip content-type:text/plain; charset=utf-8 date:Mon, 05 Jan 2015 14:26:39 GMT expires:Fri, 01 Jan 1990 00:00:00 GMT pragma:no-cache server:GSE status:200 OK version:HTTP/1.1 x-content-type-options:nosniff x-frame-options:SAMEORIGIN x-xss-protection:1; mode=block

My question

Am I right that I cannot use XDomain if I cannot change the "x-frame-options" header attribute?

— Reply to this email directly or view it on GitHub https://github.com/jpillora/xdomain/issues/129.

martinhbramwell commented 9 years ago

That's a big disappointment.

Seems like Google really doesn't want Drive sites to access Apps Scripts sites.

Great initiative with XDomian, though! Felicitaciones.