[thredds] Fwd: A request for server developers

Hi All:

See please the request at the end, about enabling CORS in OpeNDAP servers.  Any 
thoughts on this?

-Roy

Begin forwarded message:

> From: Roberto De Almeida <roberto@xxxxxxxxxxxxx>
> Subject: A request for server developers
> Date: April 24, 2013 11:14:07 AM PDT
> To: Tech OPeNDAP <opendap-tech@xxxxxxxxxxx>, "pydap@xxxxxxxxxxxxxxxx" 
> <pydap@xxxxxxxxxxxxxxxx>
> Reply-To: pydap@xxxxxxxxxxxxxxxx
> 
> Hi, guys!
> 
> In 2006 I wrote an implementation of an OPeNDAP client in Javascript called 
> jsdap (https://code.google.com/p/jsdap/). At the time Javascript was still a 
> toy language and the XML HTTP Request (XHR) was unable of handling binary 
> data, but I managed to hack a full client that worked in all major browsers 
> (including IE by injecting vbscript!). And while it was written more as a 
> proof-of-concept the client is actually used in some data portals like 
> http://www.ifremer.fr/oceanotronPortal/. (A Node.js OPeNDAP server was also 
> added 3 years ago.)
> 
> Fast forward 7 years and we now have a lot of new technologies on the table: 
> a new XHR object with support for binary transfers, typed arrays and WebGL. 
> I've been playing again with using Javascript as an OPeNDAP client, in 
> particular to display real time information from OPeNDAP servers. I have set 
> up a small OPeNDAP server on one of my VPS streaming the system load 
> information:
> 
>   http://vps.dealmeida.net:5000/.dds
>   http://vps.dealmeida.net:5000/.das
> 
> This is an infinite dataset (try "curl http://vps.dealmeida.net:5000/.asc";), 
> and it will keep streaming the data at one record per second until the 
> connection is broken. Keep in mind that this is a regular OPeNDAP Sequence, 
> and nothing was changed in the specification to make this work. Nevertheless, 
> I'm not aware of OPeNDAP clients that can access the stream other than the 
> development version of Pydap.
> 
> On another machine I have a widget displaying the information on a real time 
> graph: http://dealmeida.net/opendap-streaming/
> 
> You can see how everything was implemented on this Mercurial repository. The 
> data is displayed by fetching the .dods response and parsing it. We still 
> need a few hacks to do this, but only because the data is being streamed 
> (Mozilla handles it nice; Chrome cannot stream binary data, so it still 
> fetches it as string). Handling regular OPeNDAP datasets should be pretty 
> straightforward with the new XHR, and I plan to rewrite jsdap as soon as I 
> have some free time.
> 
> Now to my request: the only reason that the demo works -- having a page in 
> one host displaying data from an OPeNDAP server on another -- is because I 
> enabled CORS on Pydap. By default, now all DODS, DAS and DDS responses from 
> Pydap have the following additional headers:
> 
>   Access-Control-Allow-Origin: *
>   Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type
> 
> These headers (the first one, actually) allow the responses to be accessed 
> through XHR from any host. As far as I know there is no downside in doing 
> this. Even if your server use cookies for authenticating access to certain 
> datasets the cookies will not be sent unless the 
> Access-Control-Allow-Credentials header is set (and set to true), which would 
> allow other sites to "steal" your data and download it by impersonating a 
> logged user.
> 
> My request is that all OPeNDAP servers enable CORS from any host by default 
> today, at least in the DODS, DAS and DDS responses; and if not by default, at 
> least as an option. This way, by the time Javascript matures enough so that 
> its performance on the browser becomes comparable to desktop applications we 
> can start building rich web applications that use all the data available 
> through OPeNDAP.
> 
> Some resources
> About CORS: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing / 
> https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS
> Security concerns: 
> https://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
> 
> Thank you,
> Rob
> 
> -- 
> Roberto De Almeida, PhD
> http://dealmeida.net/
> :wq
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "pydap" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to pydap+unsubscribe@xxxxxxxxxxxxxxxx.
> To post to this group, send email to pydap@xxxxxxxxxxxxxxxx.
> Visit this group at http://groups.google.com/group/pydap?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>  
>  

**********************
"The contents of this message do not reflect any position of the U.S. 
Government or NOAA."
**********************
Roy Mendelssohn
Supervisory Operations Research Analyst
NOAA/NMFS
Environmental Research Division
Southwest Fisheries Science Center
1352 Lighthouse Avenue
Pacific Grove, CA 93950-2097

e-mail: Roy.Mendelssohn@xxxxxxxx (Note new e-mail address)
voice: (831)-648-9029
fax: (831)-648-8440
www: http://www.pfeg.noaa.gov/

"Old age and treachery will overcome youth and skill."
"From those who have been given much, much will be expected" 
"the arc of the moral universe is long, but it bends toward justice" -MLK Jr.

  • 2013 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: