Cross Domain XHR in FireFox 3.5 with jQuery and Preflighted requests

Hi Everyone,

 

This one has been driving me bug eyed for a couple days now. Hopefully
someone here has some ideas.

 

As of FireFox 3.5, Mozilla has implemented the w3cs Cross-Origin Resource
Sharing recommendation (http://dev.w3.org/2006/waf/access-control/). I am
trying to implement this in my ajax based web app so that I can develop
locally (localhost) and make requests to my live server.

 

Mozilla has a great explanation of how to craft requests and response
headers here:

https://developer.mozilla.org/en/HTTP_access_control

 

 

I am using jQuery and ajaxCFC for my requests, jQuery adds a custom header,
which forces the request to be 'preflighted'.  What this means is that an
OPTION method request is sent to the server before the actual request to see
if the request is valid/supported. The server is supposed to respond with
the allowed headers something like this:

 

Access-Control-Allow-Origin: http://foo.example 

Access-Control-Allow-Methods: POST, GET, OPTIONS  

Access-Control-Allow-Headers: X-PINGOTHER  

Access-Control-Max-Age: 1728000  

 

My problem is that the request to the CFC via the OPTIONS method never gets
a response, the CFC not the application.CFC ever execute. The only way I can
get it to work is to set the headers within the IIS HTTP Headers. But I
don't want to do this for all requests, only when needed, when the method is
OPTIONS and I would like to be able to further validate the request. But the
request never gets to Cold Fusion.

 

In firebug, the request looks like this:

 

OPTIONS
http://www.myserver.com/app/adapter/publicAdapter.cfc?method=ping&returnform
at=json

 

Host: www.myserver.com

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1)
Gecko/20090624 Firefox/3.5

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Origin: http://localhost

Access-Control-Request-Method: POST

 

Connection: close

Date: Wed, 08 Jul 2009 15:58:04 GMT

Server: Microsoft-IIS/6.0

Access-Control-Allow-Methods: POST,GET,OPTIONS

Access-Control-Allow-Headers:
X-Requested-With,If-Modified-Since,Accept,Content-Type

Access-Control-Max-Age: 1728000

Access-Control-Allow-Origin: http://localhost

Allow: GET, HEAD, POST, TRACE, OPTIONS

 

The response headers are the headers I have set manually in IIS. The actual
CFC never gets called.

 

I checked in IIS and the application extension mapping for CFC is set to
"all verbs" and yet the request never gets to CF. I added some logging in
application.cfc onRequestStart and nothing.

 

So does anyone have any idea how to do a preflighted request so that cold
fusion can respond? Or is this an IIS issue where IIS is not passing the
OPTIONS request to CF?

 

Brook Davies

Logiforms.com

 

 

 

 

 




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324365
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.4