|
|
|
|
Accessing WebDAV Server Located on a Different Domain (Cross-Domain, Cross-Port and Cross-Protocol Requests)
The IT Hit AJAX File browser can upload and manage files on a WebDAV servers located in other domains. If your WebDAV server is located on a different domain, on a different port or using different protocol (HTTP / HTTPS) such requests are considered to be cross-domain, cross-port or cross-protocol and are called cross-origin requests. By default such requests are prohibited by the browser unless the server or the user allows them. To test cross-origin access you can use the Cross-Origin Request Demo page.
Below we describe how to enable cross-origin requests in each of 4 major browsers.
In FireFox, Safari and Chrome
To enable cross-origin requests in FireFox, Safari and Chrome your server must attach the following headers to all responses:
Access-Control-Allow-Origin: http://webdavserver.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: PROPFIND, PROPPATCH, COPY, MOVE, DELETE, MKCOL, LOCK, UNLOCK, PUT, GETLIB, VERSION-CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, REPORT, UPDATE, CANCELUPLOAD, HEAD, OPTIONS, GET, POST
Access-Control-Allow-Headers: Overwrite, Destination, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-ControlThis headers will enable cross-domain requests in FireFox 3.6+, Safari 4+ and Chrome 4+. Older versions of this browsers do not allow cross-domain requests.
Important! Firefox and Chrome require exact domain specification in Access-Control-Allow-Origin header. For servers with authentication these browsers do not allow "*" in this header. The Access-Control-Allow-Origin header must contain value of Origin header passed by client.
Optionally you can also attach the Access-Control-Max-Age header specifying the amount of seconds that the preflight request will be cached, this will reduce the amount of requests:
Access-Control-Max-Age: 3600
Important! IT Hit WebDAV Server Engine for .Net and for Java adds necessary Access-Control headers automatically. You do not need to add them manually.
In Internet Explorer
Internet Explorer ignores Access-Control-Allow headers and by default prohibits cross-origin requests for Internet Zone. To enable cross-origin access go to Tools->Internet Options->Security tab, click on “Custom Level” button. Find the Miscellaneous -> Access data sources across domains setting and select “Enable” option.
If your server is located in Intranet Zane by default IE will pop the confirmation dialog during first cross-domain request: “This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?”. To suppress this warning you will need to set the "Access data sources across domains" setting to "Allow".
Cross-Domain Requests with Authentication
If your WebDAV server is using Basic, Digest or Integrated Windows Authentication (IWA) a user agent may imply additional limitations. Below is the table describing authentication types support for cross-domain WebDAV requests:
|
IE |
Firefox |
Safari |
Chrome |
| Basic |
+1 |
+2 |
+3 |
+ |
| Digest |
+ |
+2 |
+3 |
+ |
| IWA |
+ |
+2 |
+3 |
+ |
Important!
1 - Internet Explorer and Microsoft Office on Windows 7 and Windows Vista by default require SSL connection for Basic authentication. Details about how to overcome this limitation could be found here.
2 - Firefox requires OPTIONS request to be unauthenticated when cross-domain requests are used.
3 - Safari never displays login dialog for cross-origin requests. To display login dialog GET request must be sent via iframe. See below.
Cross-Origin Request with Authentication in Safari
To display login dialog for cross-origin requests in Safari the browser must first sent GET request. This request cannot be sent via XmlHttpRequest but only via directly accessing server, for example via iframe. The iframe onload event always fired after user enters credentials to login dialog. Only when iframe onload event fires Ajax File Browser can sent requests. If authentication fails onload event never fires. Below you can see a sample code that you can use to create Ajax File Browser in Safari:
var webDavServerUrl = 'http://webdavserver.com/';
function onLoad() {
// Safari never displays login dialog for cross-domain XHR requests.
// We have to create hidden iframe to get the login dialog and to authenticate.
if ((navigator.userAgent.indexOf('Safari') != -1) && navigator.userAgent.indexOf('Chrome') == -1) {
var iframe = document.createElement("IFRAME");
iframe.style.display = "none";
document.body.appendChild(iframe);
iframe.onload = initAjaxFileBrowser; // iframe onload event fires only when user succesefully authenticated
iframe.src = webDavServerUrl;
}
else {
initAjaxFileBrowser();
}
}
function initAjaxFileBrowser() {
var settings = {
Id: 'AjaxFileBrowserContainer', // ID of the HTML control in which Ajax File Browser will be created
Url: webDavServerUrl, // the root folder to be displayed in Ajax File browser
Style: 'height: 100%; width: 100%',
FileIconsPath: 'http://ajaxbrowser.com/ITHitService/AjaxFileBrowser/icons/', // path to the folder where file icons are located
MsOfficeTemplatesPath: 'http://officeserv.com/templ/', // the server on which templates are located must support locks (class 2)
SelectedFolder: webDavServerUrl // folder to be selected, same as SetSelectedFolder call
}
var ajaxFileBrowser = new ITHit.WebDAV.Client.AjaxFileBrowser.Controller(settings);
}
See also: Cross-Origin Request Demo.
comments powered by
|
|
Selected Customers:
| USA |
 |
| Symantec |
| Country: Sweden |
 |
| Toyota |
| Country: USA |
 |
| Microsoft |
| Country: Ukraine |
 |
| Raiffeisen Bank |
| Country: USA |
 |
| Siemens |
| Country: USA |
 |
| Lockheed Martin |
| Country: USA |
 |
| Intel Corporation |
| Country: Germany |
 |
| SAP AG |
| Country: Israel |
 |
| Autodesk, Inc. |
| Country: USA |
 |
| U.S. Customs and Border Protection Agency |
|
|
 |
|