1 (edited by agentOOjoe 2012-02-14 22:43:32)

Topic: Cross domain uploads over SSL

I can't seem to get plupload to accept a destination url pointing to a different domain.

For the sake of example:
The plupload files, and my html form are hosted at 'https://formhost.com'

The parsing app is hosted on a node.js server at 'https://uploadparser.com'

My app at uploadparser.com is configured to send a response allowing for the request host 'https://formhost.com'.  Everything works fine if I just send a jquery.post request, so I know that I am not in violation of the same origin policy.

It appears that plupload is just skipping over each file that has a destination url it doesn't like.  I'm not seeing any ajax attempts, but my binded listeners function as expected.  For example, if I try to send three files, the BeforeUpload fires three times, UploadComplete once, and there are no errors reported.

Could the issue be https? The absolute url? Cross domain safeguards built into plupload? When I switch the url back to a local, relative path, it works again.

I am working with HTML5. Also, I have 'urlstream_upload : true' (for if/when flash is used).

Thanks!
Joe

Re: Cross domain uploads over SSL

I have confirmed that the problem is not ssl, or the absolute url.  It definitely has to do with the fact that it is cross-domain.  On my node.js server, I respond with the headers:

res.header("Access-Control-Allow-Origin", "https://formhost.com");
res.header("Access-Control-Allow-Headers", "X-Requested-With");

As I said above, this configuration works fine with a jquery ajax request, but not with plupload, what is the difference?


I'd really appreciate some help on this.  Thanks.

Re: Cross domain uploads over SSL

Flash is working fine.  This is now just an HTML5 problem.

Re: Cross domain uploads over SSL

I figured out what I was missing: a way to handle CORS preflight requests on my node server.

Here is what I have now:

app.all('/', function(req, res, next) {
      res.header("Access-Control-Allow-Origin", "https://domain.com");
    res.header("Access-Control-Allow-Headers", "X-Requested-With");
     
    if (req.method.toUpperCase() === "OPTIONS"){
        res.header("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
        res.header("Access-Control-Max-Age", 3600); // Seconds.
        res.writeHead(200, { 'content-type' : 'text/plain' } ); //Send success code                   
        res.end();
    } else {
        next();
    }
   
});