Cross-domain HTTP requests or static HTTP fileserver

[TobiasWooldridge]

To implement a web interface for serval-dna, one of the three following needs to be implemented

• The HTTP server needs to support sending static files from a directory
• The HTTP server needs to support JSONP This involves supporting an alternative request type where a callback argument is passed, and each response is wrapped in a JS function call to this method
• The HTTP server needs to implement CORS (Cross-Origin Resource Sharing) This means sending a header such as the following Access-Control-Allow-Origin: * and adding support for the HTTP OPTIONS method

For the implementation of CORS, it may suffice to have a fixed OPTIONS response of the following form

200 OK
Allow: HEAD,GET,PUT,DELETE,OPTIONS

And a header of the form

Access-Control-Allow-Origin: *

For the implementation of JSONP, a GET parameter must be accepted, the application/javascript content type must be accepted, and the JSON response body must be wrapped in a JS call to the function named by this argument; e.g.

GET /foo?callback=nyan
Content-Type: application/

Would return a response with the body

nyan({ .. json .. });

JSONP and CORS are likely the easiest methods to implement server-side. CORS is simplest to implement client-side (Cross-origin AJAX requests can be treated as though they were on the origin host)

I don't know how to implement the file server or JSONP, but implementing CORS doesn't seem too tough and I could at least hack that together. Any suggestions?

[TobiasWooldridge]

For now I'm simply using a HTTP proxy which intercepts all OPTIONS requests and sets the following headers, though I don't think this is an effective long-term solution

response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "GET,HEAD,POST,OPTIONS,TRACE");
response.setHeader("Access-Control-Allow-Headers", "Authorization");

[quixotique]

Regarding JSONP, I would use a GET query parameter called jsonp not callback, because it is more self-documenting.

In the example given, the GET request should not include a Content-Type header, because it has no content. The HTTP server should simply detect the jsonp parameter and change its response Content Type from application/json to application/javascript and enclose the JSON content in the function call as JSONP mandates.

[quixotique]

I can see that either JSONP or CORS is needed, but not both. CORS is documented as superior to JSONP because it is more general and is not vulnerable to cross site request forgery, which might be an issue for fetching decrypted payloads.

Isn't a static file server going to be needed in either case?

[lakeman]

Added support for OPTIONS verb and Origin header for cross site scripting from local servers. 31cf3a6