mod_proxy

 2 Responses »
Jun 252007
 

Thanks to my colleague Wijnand for pointing me out that the XMLHTTPREQUEST security problem can be solved by using mod_proxy. As I was trying to show an Oracle Mapviewer map inside an APEX HTML region, I needed to proxy the mapviewer in the APEX Apache configuration.


    ProxyRequests On
    # Set to one of: Off | On | Full | Block
    ProxyVia On
    ProxyPass /mapviewer http://l-rsprinkhuizen:8888/mapviewer
    ProxyPassReverse /mapviewer http://l-rsprinkhuizen:8888/mapviewer

At first I proxied to /mv to keep the typing (-errors) to a minimum, but that didn’t seem to work. Parts were showing, others parts were not. Then I changed the /mv to /mapviewer and everything worked. So there you have it: Mapviewer has a hardcoded path in some of its core!

 Posted by at 23:57

FireFox signed scripts

 1 Response »
Jun 252007
 

FireFox implemented a scripting-security feature that should do its work better than a question “Do you allow this script to run” or something along that line. Because users will press YES, since they are browsing and don’t want to be annoyed with pop-ups…
One of the items that can’t be done from scripting anymore is an XMLHTTPRequest (to another site). Basically the thing that runs AJAX. Without it, you would not have AJAX.

Now FireFox is asking us to sign our Javascript, so it will know the script is what it’s supposed to be. But wait….not only the Javascript (or external .js file), but the whole page.

WTF?

APEX generates pages on the fly, and you can include javascript in the page definition. But there is no complete page to sign. So how do I solve a “Permission denied to call method XMLHTTPRequest.open”? Any framework that dynamically generates pages will suffer from the same problem, so….any thoughts on this one? I can’t just alter the framework to do some server-side proxying only to overcome the fact that the client can’t request an URL.

 Posted by at 01:39