Cross Domaining


Diffusion 5.9

Diffusion 6.0

Diffusion 6.1

Diffusion 6.2

Diffusion 6.3

Diffusion Cloud


The following article is provided on an advice basis only.
Due to the varied nature of load balancers and their configuration Push Technology are unable to provide further support.

Problem

The Diffusion Javascript Client Library, unless otherwise configured, will cascade downward through a set of ‘transports’ starting with WebSockets and working it’s way down toward XmlHttpRequest (‘XHR’ or ‘Ajax Long Poll’), and then finally to hidden IFrames.

Websockets, Flash and Silverlight have few security constraints, however XHR is subject to the same origin policy (external site). Simply put, if Javascript code executes within a web page sourced from www.pushtechnology.com then it is only permitted to make XHR requests back to www.pushtechnology.com. If your diffusion server is at example.pushtechnology.com this presents a problem when only XHR is available.

Resolution

CORS Solution

Cross-Origin Resource Sharing (external site), is a standard formed to address circumstances where www.pushtechnology.com uses XHR to access resources on alternate host example.pushtechnology.com, and aims to provide sensible constraints and avoid a free-for-all.

CORS uses HTTP headers to enable the Diffusion server to indicate if it accepts traffic from web pages served from other servers. When a CORS request is made, Diffusion must respond with certain response HTTP headers for the browser to treat the request as successful. CORS requests can result in the browser sending a pre-flight request to Diffusion using the OPTIONS method to determine if the origin, headers, and methods of the request it is about to make are permitted. Diffusion responds with the correct values for headers and methods but the actual request is not made until the pre-flight request succeeds.

The allowed origins can be configured in the client-service element of the WebServer.xml configuration file.

Client Side

To enable CORS in the JavaScript client, include the XHRURL attribute in the arguments to theDiffusionClientConnectionDetailsconstructor.

var connectionDetails = {
	debug : true,
	onDataFunction : onDataEvent,
	XHRURL: "http://www.pushtechnology.com:8080",
}

Server Side

CORS filtering is governed on the server side using the cors-origin attribute found in etc/WebServer.xml.

By default this is a very permissive .* regular expression, and must be set to something more specific in production. In the above example, push.example.com will limit requests to push.example.com to only those from www.example.com. Full details about this feature are found in the web server section of the Diffusion manual.

CORS Limitations

Full CORS support has only been available in Internet Explorer 10+.

The full CORS support table is available at the following link:

Due to the lack of CORS support in some browsers it is recommended that a load balancer solution is used instead, as this is a catch all solution irrespective of web browser used.

Load Balancer Solution

Rather than catering to each special case browser, this approach contains all complexity to one place. This solution presumes that a load balancer is already in place.

All XHR requests to Diffusion use a URL that starts with /diffusion. Routing all such requests to one of the servers in the Diffusion pool will make available both regular and Diffusion functionality from one apparent host.

CORS

In circumstances where clients of Diffusion solutions cannot be depended upon to have a single IP address (for example: users with multiple aDSL connections, or smart-phones migrating between providers), each HTTP request made from a Diffusion client to a Diffusionserver holds a cookie named “session” holding the unique client-id of that client. This gives load balancers an alternative means of distributing a request to one of their Diffusion server team.