GWT : separate js + css + images from server - gwt

We'd like to have the following configuration :
one server is replying to GWT RPC : x.com (the one running Java)
another server is serving js / css / images : y.com (for bandwith optimization)
So the main page is : http://x.com/index.html
and contains this line: <script type="text/javascript" language="javascript" src="http://**x.com**/my-app.nocache.js"></script>
We're getting a SOP error: Unsafe JavaScript attempt to access frame with URL ...
Any suggestion, help about that ?

Add the following to your gwt.xml:
<add-linker name="xsiframe" />
This will generate slightly different code, that can be loaded cross-origin. Your "host page" will still have to be loaded from the same server you run your GWT-RPC servlets on, to not hit the SOP.
See this FAQ entry (the "xs" linker predates the "xsiframe" one, that latter is now preferred, and could eventually even replace the "std", default linker)

You have hit Same Origin Policy which prevents making XMLHTTPRequest to servers other than origin server. This effectively prevents cross-domain GWT-RPC.
The possible workarounds are described in Making cross-site requests:
Run a proxy on your server
Load the JSON response into a <script> tag

Related

Cannot save template constants in typo3

I updated the constants of my template in the web editor of typo3. Each time I click on Save or Close+Save I get a pop-up from my browser to download a file. The content is like this:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Unavailable</title>
</head><body>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>
</body></html>
The minimal example to get this is:
page.theme {
socialmedia.channels {
facebook.url = https://www.facebook.com/typo3/
}
}
It seams that Typo3 has a problem with the dots in the url. If I remove all of them or escape with a backslash "\" everything works. (But the backslash remains in the url and therefore produce invalid urls)
Some months before everything works fine. Some other templates in the same installation have also urls in their configuration and they are working (the page is rendered normaly). If I try to save them noe without any changes I get the same error.
That is the system I use:
Typo3-Version: 9.5.20
Webserver: Apache/2.4.43 (Unix)
PHP-Version: 7.3.21
Database: MySQL 5.6.42
Applicationcontext: Production
OS: SunOS SunOS localhost 5.10 Generic_150401-49 i86pc
Bootstrap Package: 11.0.2

Integrate With Google button: Failed to execute ‘postMessage’ on ‘DOMWindow’

I am trying to add Integrate With Google button to our website using the instructions at https://developers.google.com/gsuite/marketplace/button.
According to the instruction, I need to add:
<script type="text/javascript" src="https://apis.google.com/js/platform.js"/>
to head and then incorporate:
<g:additnow applicationid="[appid]"></g:additnow>
The button is not rendered. The error in browser console says:
Failed to execute ‘postMessage’ on ‘DOMWindow’: The target origin provided (‘https://accounts.google.com’) does not match the recipient window’s origin (‘http://server.local:8090’).
Load denied by X-Frame-Options: `
https://apis.google.com/additnow/additnow.html?usegapi=1&applicationid=[appid]&origin=http%3A%2F%2Fserver.local%3A8090&gsrc=3p&ic=1&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en_US.Vch8vd-lM6E.O%2Fm%3D__features__%2Fam%3DAQE%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCOgsbyjgLVijKgLfaXMbki4Pxbd_A#_methods=onPlusOne%2C_ready%2C_close%2C_open%2C_resizeMe%2C_renderstart%2Concircled%2Cdrefresh%2Cerefresh%2Claunchurl&id=I0_1517552817258&_gfid=I0_1517552817258&parent=http%3A%2F%2Fserver.local%3A8090&pfname=&rpctoken=19038946
> does not permit cross-origin framing.
A couple of points:
I am loading the page using the Tomcat web server
server.local resolves to 127.0.0.1
http anywhere browser extension is disabled
The page is not being loaded in an iframe
I tried loading platform.js without https. make no difference.
Any ideas?

httpOnly cookie

I had done web scan for an application(built in struts and hibernate framework) deployed in jboss 5 which reported "Set-cookie does not use HTTPOnly keyword. The web application does not utilize HTTPOnly cookies". What does it mean. I looked for some post and just added one line in my jboss/deploy/jbossweb.sar/context.xml as
<SessionCookie secure="true" useHttpOnly="true" >
After setting that, I am getting error while running the application. Is there any configuration that I am missing?
try this:
<SessionCookie secure="true" httpOnly="true" />
What does it mean
The HttpOnly flag in a http response header indicates to the browser that client-side access to the JSESSION_ID or other session-cookie type identifier should not be permitted. What this is intended to prevent is a malicious access to the session token via client side scripts in an XSS(or other attack involving session hijacking from the client side). Currently almost all major browsers support this flag(see this list for supporting browsers), but it's simply ignored in browsers that don't support it. See more info on this at the OWASP site
Setting it up is similar for tomcat and forks of it, including Jboss, by including the following in your context file:
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
or
<SessionCookie secure="true" httpOnly="true" />

How to make browser stop caching GWT nocache.js

I'm developing a web app using GWT and am seeing a crazy problem with caching of the app.nocache.js file in the browser even though the web server sent a new copy of the file!
I am using Eclipse to compile the app, which works in dev mode. To test production mode, I have a virtual machine (Oracle VirtualBox) with a Ubuntu guest OS running on my host machine (Windows 7). I'm running lighttpd web server in the VM. The VM is sharing my project's war directory, and the web server is serving this dir.
I'm using Chrome as the browser, but the same thing happens in Firefox.
Here's the scenario:
The web page for the app is blank. Accorind to Chrome's "Inspect Element" tool, it's because it is trying fetch 6E89D5C912DD8F3F806083C8AA626B83.cache.html, which doesn't exist (404 not found).
I check the war directory, and sure enough, that file doesn't exist.
The app.nocache.js on the browser WAS RELOADED from the web server (200 OK), because the file on the server was newer than the browser cache. I verified that file size and timestamp for the new file returned by the server were correct. (This is info Chrome reports about the server's HTTP response)
However, if I open the app.nocache.js on the browser, the javascript is referring to 6E89D5C912DD8F3F806083C8AA626B83.cache.html!!! That is, even though the web server sent a new app.nocache.js, the browser seems to have ignored that and kept using its cached copy!
Goto Google->GWT Compile in Eclipse. Recompile the whole thing.
Verify in the war directory that the app.nocache.js was overwritten and has a new timestamp.
Reload the page from Chrome and verify once again that the server sent a 200 OK response to the app.nocache.js.
The browser once again tries to load 6E89D5C912DD8F3F806083C8AA626B83.cache.html and fails. The browser is still using the old cached copy of app.nocache.js.
Made absolutely certain in the war directory that nothing is referring to 6E89D5C912DD8F3F806083C8AA626B83.cache.html (via find and grep)
What is going wrong? Why is the browser caching this nocache.js file even when the server is sending it a new copy?
Here is a copy of the HTTP request/response headers when clicking reload in the browser. In this trace, the server content hasn't been recompiled since the last GET (but note that the cached version of nocache.js is still wrong!):
Request URL:http://192.168.2.4/xbts_ui/xbts_ui.nocache.js
Request Method:GET
Status Code:304 Not Modified
Request Headersview source
Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Host:192.168.2.4
If-Modified-Since:Thu, 25 Oct 2012 17:55:26 GMT
If-None-Match:"2881105249"
Referer:http://192.168.2.4/XBTS_ui.html
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
Response Headersview source
Accept-Ranges:bytes
Content-Type:text/javascript
Date:Thu, 25 Oct 2012 20:27:55 GMT
ETag:"2881105249"
Last-Modified:Thu, 25 Oct 2012 17:55:26 GMT
Server:lighttpd/1.4.31
The best way to avoid browser caching is set the expiration time to now and add the max-age=0 and the must-revalidate controls.
This is the configuration I use with apache-httpd
ExpiresActive on
<LocationMatch "nocache">
ExpiresDefault "now"
Header set Cache-Control "public, max-age=0, must-revalidate"
</LocationMatch>
<LocationMatch "\.cache\.">
ExpiresDefault "now plus 1 year"
</LocationMatch>
your configuration for lighthttpd should be
server.modules = (
"mod_expire",
"mod_setenv",
)
...
$HTTP["url"] =~ "\.nocache\." {
setenv.add-response-header = ( "Cache-Control" => "public, max-age=0, must-revalidate" )
expire.url = ( "" => "access plus 0 days" )
}
$HTTP["url"] =~ "\.cache\." {
expire.url = ( "" => "access plus 1 years" )
}
We had a similar issue. We found out that timestamp of the nocache.js was not updated with gwt compile so had to touch the file on build. And then we also applied the fix from #Manolo Carrasco Moñino. I wrote a blog about this issue. http://programtalk.com/java/gwt-nocachejs-cached-by-browser/
We are using version 2.7 of GWT as the comment also points out.
There are two straightforward solutions (second is modified version of first one though)
1) Rename your *.html file which has a reference to *.nocache.js to i.e. MyProject.html to MyProject.jsp
Now search the location of you *.nocache.js script in MyProject.html
<script language="javascript" src="MyProject/MyProject.nocache.js"></script>
add a dynamic variable as a parameter for the JS file, this will make sure actual contents are being returned from the server every time. Following is example
<script language="javascript" src="MyProject/MyProject.nocache.jsp?dummyParam=<%= "" + new java.util.Date().getTime() %>"></script>
Explanation: dummyParam will be of no use BUT will get us our intended results i.e. will return us 200 code instead of 304
Note: If you will use this technique then you will need to make sure that you are pointing to right jsp file for loading your application (Before this change you was loading your app using HTML file).
2) If you dont want to use JSP solution and want to stick with your html file then you will need java script to dynamically add the unique parameter value on the client side when loading the nocache file. I am assuming that should not be a big deal now for you given the solution above.
I have used first technique successfully, hope this will help.
The app.nocache.js on the browser WAS RELOADED from the web server (200 OK), because the file on the server was newer than the browser cache. I verified that file size and timestamp for the new file returned by the server were correct. (This is info Chrome reports about the server's HTTP response)
I wouldn't rely on this. I've seen a bit of strange behaviour in Chrome's dev tools with the network tab in combination with caching (at least, it's not 100% transparent for me). In case of doubt, I usually still consult Firebug.
So probably Chrome still uses the old version. It may have decided long ago, that it will never have to reload the resource again. Clearing the cache should resolve this. And then make sure to set the correct caching headers before reloading the page, see e.g. Ideal HTTP cache control headers for different types of resources.
Open the page in cognito mode just to get-rid of cache issue and unblock yourself.
You need to configure cache time as mentioned in others comments.
After unsuccessfully preventing caching via Apache I created a bash script that root runs every minute in a cron job on my Linux Tomcat server.
#!/bin/bash
#
# Touches GWT nocache.js files in the Tomcat web app directory to prevent caching.
# Execute this script every minute in a root cron job.
#
cd /var/lib/tomcat7/webapps
find . -name '*nocache.js' | while read file; do
logger "Touching file '$file'"
touch "$file"
done

servlet filter for url rewriting makes gwt page getting 404

I have a GWT application /application.html
for easy access (and SEO) I would like make url rewriting like /station/fr/foo mapping
I'm trying with a servlet filter declared like this
url-pattern : /station/*
and in this filter, I split parts of the url to build parameters for the target url:
and I do :
request.getRequestDispatcher( targetUrl ).forward( request, response);
But it seems to try accessing /station/Application.html and then 404
[ =========== edited from here =========== ]
Well, know, since this question, I understood a few things: the html page is reached, but tries to load his resources (css, js, img) in /station/
This behaviour is done by the browser (!)
If I had <base href="http://servername/"> it works, but I can't get dev mode working anymore...
Is there's a way to transparently modify on the fly the response to change paths in html source ?
You are looking for fixing the app path in both hosted jetty mode and tomcat/deployment mode to be same - Try https://groups.google.com/d/topic/google-web-toolkit/a8OsRmMSaMg/discussion
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN"
"http://jetty.mortbay.org/configure.dtd">
<Configure class="org.mortbay.jetty.webapp.WebAppContext">
<Set name="contextPath">/yourapp</Set>
</Configure>