Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 9 of 9 total
Thread Accessing https within an EWB page
Tue, Feb 12 2013 1:11 PMPermanent Link

Matthew Jones

I am writing an application using EWB that will be hosted entirely on an https
connection, served by a Delphi/RemObjects SDK service. This is working fine, but
when I run the app in the EWB IDE, the code is unable to access the https service.
I get "Access is denied". The code itself is trying to connect to a "hard coded"
URL, so both should work. I therefore assume that this is some sort of security
thing in the IE browser. Is there a way to turn it off on my development PC?

If I open the http page (served by EWB) in IE then I get the same error. Hmm,
Chrome is so good! Okay, it says that "XMLHttpRequest cannot load
https://localhost/JSON?1360692200302. Origin http://localhost is not allowed by
Access-Control-Allow-Origin."

A quick scan in this newsgroup and a google shows that this is complicated. I
presume that there is no way to tell the IDE to fetch from https instead of http,
and using my server? If I disable the internal server, it appears to load the page
but with other scripting issues, so I don't understand that.

If anyone has any useful comments on this, please let me know. I might just hack it
to work with http locally. Not sure. Conditional compile would be good, with the
command line, so that I could have debug stuff for me, and know that the release
build wouldn't have such.

(I'll just add that I am finding the EWB product really good, nice and solid, and
very productive. These posts are not big problems, and a lot better than other
environments I've used.)

/Matthew Jones/
Tue, Feb 12 2013 10:57 PMPermanent Link

Raul

Team Elevate Team Elevate

Matthew,

On 2/12/2013 1:11 PM, (Matthew Jones) wrote:
> I am writing an application using EWB that will be hosted entirely on an https
> connection, served by a Delphi/RemObjects SDK service. This is working fine, but

Likely a cross-origin access issue you're running into. Number of
discussion in this thread do cover it (e.g.
http://www.elevatesoft.com/forums?action=view&category=ewb&id=ewb_discussion&page=1&msg=115#115).

> I get "Access is denied". The code itself is trying to connect to a "hard coded"
> URL, so both should work. I therefore assume that this is some sort of security
> thing in the IE browser. Is there a way to turn it off on my development PC?

You really should not - this will always happen so might as well solve
this in dev.

Basically whenever you need to access a URL that is not the same URL you
loaded the EWB app from you will have this problem.

So either load the EWB app from same web server that serves your RO
webservice or alternatively see if you can configure the RO web server
to use Access-Control-Allow-Origin as * (this means every domain - later
might want to narrow it down if possible to only ones allowed).

I assume that RO includes its own web server so there should be a way to
either specify custom http header with Access-Control-Allow-Origin or
they might have a config option for it (everybody would have the same
issue).


> A quick scan in this newsgroup and a google shows that this is complicated. I
It's not that bad once you get your head around it.

> and using my server? If I disable the internal server, it appears to load the page
> but with other scripting issues, so I don't understand that.

i would not do this - this results in loading the EWB app from local
filesystem and brings in whole set of new issues since your app tries to
do web requests.

Raul
Wed, Feb 13 2013 5:04 AMPermanent Link

Matthew Jones

> So either load the EWB app from same web server that serves your RO
> webservice or alternatively see if you can configure the RO web
> server to use Access-Control-Allow-Origin as * (this means every
> domain - later might want to narrow it down if possible to only
> ones allowed).
>
> I assume that RO includes its own web server so there should be a
> way to either specify custom http header with
> Access-Control-Allow-Origin or they might have a config option for
> it (everybody would have the same issue).

It is using Indy to handle the requests, so I will examine that.
It would be nice if EWB could have a URL to load the app from when you press F9.
Rather than load from file (I wondered how it was working) or using the internal
web server, use an alternative URL as the start point, perhaps as part of the
deploy on run function. That would allow "debugging" in the IDE in a much more
friendly manner when this situation arises.

/Matthew Jones/
Wed, Feb 13 2013 9:02 AMPermanent Link

Raul

Team Elevate Team Elevate

On 2/13/2013 5:04 AM, (Matthew Jones) wrote:
> It is using Indy to handle the requests, so I will examine that.

For plain Indy HTTP it should be as simple as this :

AResponseInfo.CustomHeaders.Add('Access-Control-Allow-Origin: *');


> It would be nice if EWB could have a URL to load the app from when you press F9.

Something for Tim to consider as feature enhancement.

Raul
Wed, Feb 13 2013 9:22 AMPermanent Link

Matthew Jones

I nearly had a great idea! I added this to my code:

   if Pos('http:', window.location.protocol) > 0 then
   begin                    
       lblResult.Caption := 'Redirecting to https';
       window.location.replace('https://localhost/');
   end

(not too clean - I was aiming to get the full URL hence Pos).

Anyway, this works, and sends me off to the https server. Where it then falls over
in a heap due to a certificate error. In IE itself, this works and allows me to
click to continue, but the EWB IDE shows a certificate error - navigation blocked,
and won't let me click on anyway. Probably some embedding issue. Not sure how I can
fix my certificate as it looks like even a localhost one will fail if self signed.
Having looked this up further, it looks like you cannot make localhost a fully
certified domain, so the IDE needs to allow the redirect to have this as a solution.


/Matthew Jones/
Thu, Feb 14 2013 12:10 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Matthew,

<< I am writing an application using EWB that will be hosted entirely on an
https connection, served by a Delphi/RemObjects SDK service. This is working
fine, but when I run the app in the EWB IDE, the code is unable to access
the https service. I get "Access is denied". The code itself is trying to
connect to a "hard coded" URL, so both should work. I therefore assume that
this is some sort of security thing in the IE browser. Is there a way to
turn it off on my development PC? >>

You'll need to run the application against the https web server in order to
test it from the IDE.  To do so, do this:

1) In the Environment/Options dialog, go to the Web Servers page.

2) In the edit boxes, specify the web server name (user-defined),
Description, and URL/Port.  The URL is where you want to put the proper
https://..... URL of the web server.  Specify the port as 80 (even though it
isn't actually using port 80 for https, port 80 is considered the same as
"don't specify the port in the URL").

3) After specifying the web server, click on the Register button to add the
web server.

4) In the Project/Options dialog, go to the Deployment page.

5) Select the FTP deployment method, and click on the Deploy On Run check
box.  Fill in the FTP information for the FTP server that will allow you to
upload your application to the same web server machine as specified above.

6) In the EWB main toolbar, select the web server that you defined above
from the list of web servers.

7) Now, when you run your application in the IDE, EWB will compile the
application, deploy it via FTP to the external web server, and then run it
via the https URL that you specified.

<< (I'll just add that I am finding the EWB product really good, nice and
solid, and very productive. These posts are not big problems, and a lot
better than other environments I've used.) >>

Fantastic, thanks.   It's main issue is lack of features/controls at this
point, and hopefully I can address that soon.

Tim Young
Elevate Software
www.elevatesoft.com
Thu, Feb 14 2013 2:54 PMPermanent Link

Matthew Jones

Wow - you've thought about this haven't you! Okay, done most of that. My deployment
is a plain copy, so I didn't do the FTP bit.

It all works except for the fact that my certificate is not valid. IE gives me a
warning, as it does in the plain browser, but when I click the link to "continue to
this website (not recommended)" it just shows the same page again.

If that isn't an instant fix, don't worry. I hope soon to get the domain sorted,
and will then have a proper certificate for it.

/Matthew Jones/
Thu, Feb 14 2013 3:28 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Matthew,

<< Wow - you've thought about this haven't you! Okay, done most of that. My
deployment is a plain copy, so I didn't do the FTP bit. >>

You can do a straight copy also, either way will work.

<< It all works except for the fact that my certificate is not valid. IE
gives me a warning, as it does in the plain browser, but when I click the
link to "continue to this website (not recommended)" it just shows the same
page again. >>

Hmmm, not sure if I can fix that one.

Tim Young
Elevate Software
www.elevatesoft.com
Thu, Feb 28 2013 12:42 PMPermanent Link

Matthew Jones

> For plain Indy HTTP it should be as simple as this :
>
> AResponseInfo.CustomHeaders.Add('Access-Control-Allow-Origin: *');

While digging around today, I found that there is a property to control this, but
it isn't exposed in the component I'm using. Not important to me right now though.

/Matthew Jones/
Image