CORS and #sapnwcloud on a whiteboard
Another in the series of blogs by myself and Joanna Chan, about our experiences in building a cross platform mobile application based on the SAP NetWeaver Cloud. I reckon that the title’s short enough I might even get a few other words in when I tweet out the link
Now we’re going for a bit of an experiment here – we (Jo and I) co-wrote the blog about the fun we had in this space, because – well, it was both of us who faced the problems (one frustrating day in the old shoebox of an office) but from different angles. We decided that it would be nice for Jo to publish the actual blog on SCN – HERE IS THE LINK TO THE REAL BLOG, whilst I would publish my little video, along with any last minute thoughts I had.
It should be noted that a fair bit of the the text blog was also written by me – see if you can guess which bits
But anyway – here is the video:
As per always, if you want to see it in a size approaching useful – then feel free to open in a new window –http://www.youtube.com/watch?v=L1RWOr2dMsM&feature=youtu.be
I didn’t really explain well enough in the video the whole idea of pre-flight requests, which the the OPTIONS call that gets made before a PUT, POST or DELETE call. Indeed, where I did mention it, was before a GET, where it often doesn’t happen… Preflight calls are supposed to happen to ensure that you don’t get side-effect of non-allowed calls. I.e. the browser does the the OPTIONS call, realises that it isn’t allowed, then doesn’t make the associated PUT, POST or DELETE. The problem is, there is no hard fast requirement that agent/browsers actually make that pre-flight request. you can’t bet your code upon it happening! This is especially true when it comes to the reduced browser implementations that are typically found on mobile devices. CORS should be seen as a way of bypassing the Single Origin Policies that most browsers sensibly implement, not as a means of securing your server’s communications.
It’s also worth noting that Microsoft Internet Explorer does not provide full CORS support until IE10. So if you’re going to be forced to use that stuff (because no-one would choose to right?) then beware! There are workarounds, the easiest is to install another browser…
Disclaimers, Ramblings, and other stuff
As usual, all mistakes, errors, inability to communicate effectively and unintentional offensive remarks are my own, and should not be taken to be representative of my company, who are awesome (THANK YOU!) for giving me the time to write this stuff up and share it with you. I fortunately didn’t share any code this time, although if I had, or you think I have, then you shouldn’t believe that it in anyway represents stuff that might work, even if it does, you use at your own risk
It’s probably worth posting any questions on the blog that Jo has posted rather than here, unless it’s particularly related to the video Thanks! Although of course I love to read your comments!