[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Inf-IT DAVcl] additional external ics resource in infcloud config file


Hi Ploc,

when I try to add your URL (more precisely the URL to which the original URL you send redirects: "https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics") then you get the following error:


and if you check the request headers then you will see the following:

...
X-Requested-With: XMLHttpRequest
...

and this header is NOT allowed in the "Access-Control-Allow-Headers". I don't understand why this request header is missing when you use the $.get (but present when you use $.ajax) - it is probably a bug in the jQuery $.get method - google for:

jquery $.get missing X-Requested-With


The X-Requested-With must be allowed for Ajax requests (Access-Control-Allow-Headers) even if your admin found one example (probably bug) where it works without it :-)


JM


On 12 Feb 2021, at 1:06 AM, Ploc <pub2021@xxxxxxxxxxxx> wrote:

Hi Jan,

I'm trying to talk with the webmaster of the resource I'm trying to embed in my calendar. Here is what he is saying :

Our API and static files are designed to be cross-domain usable. We have many applications that use this mechanism without a problem.
The following codes (jQuery and window.fetch) allow to retrieve the ICS file as you wish, from any page, as you can check here :

> https://jsfiddle.net/wzm287nj/.

Can you please tell what is the difference of the jsfiddle requests, and the one that are blocked in the infcloud configuration?

Thanks,

Ploc


Le 19/09/2020 à 23:35, Ján Máté a écrit :
Hi Ploc,
the:
   X-Requested-With: XMLHttpRequest
indicates that the request is a _javascript_ request. The server must allow this header in the Access-Control-Allow-Headers header...
And the authorization header ... maybe there is a bug in the jQuery Ajax request in the source code, there should be something like:
   if(inputResource.userAuth.userName!='' &&
   inputResource.userAuth.userPassword!='')
   ... send the header ...
But first you must solve the X-Requested-With header problem ...
JM
On 19 Sep 2020, at 23:18, Ploc <pub2021@xxxxxxxxxxxx <mailto:pub2021@xxxxxxxxxxxx>> wrote:

Thanks Jan for your answer, I should have read carefully the comment in the config file.

I checked the resource and the server and it appears that the headers are ok to serve resources as CORS :

curl -I
https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics <https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics>
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 19 Sep 2020 09:42:49 GMT
Content-Type: application/octet-stream
Content-Length: 9085
Last-Modified: Mon, 07 Sep 2020 13:33:36 GMT
ETag: "5f5636b0-237d"
Expires: Mon, 19 Oct 2020 09:42:49 GMT
Cache-Control: max-age=2592000
Content-Disposition: attachment
Pragma: public
Cache-Control: public
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Headers: Origin,Authorization,Accept,DNT,User-Agent,If-Modified-Since,Cache-Control,Content-Type,Range
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes

As you can see, all origins are available :

Access-Control-Allow-Origin: *

My problem is that InfCloud is hosted on a server where CSP (Content Security Policy) is enabled. I have another error where the remote ics resource is not fetched because the preflight request fails :

Blocage d’une requête multiorigines (Cross-Origin Request) : la
politique « Same Origin » ne permet pas de consulter la ressource distante située sur https://static.data.gouv.fr/resources/le-calendrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics?_=1600508468800. Raison : l’en-tête « x-requested-with » n’est pas autorisé d’après l’en-tête « Access-Control-Allow-Headers » de la réponse de pré-vérification des requêtes CORS.

In other words, there cannot be the x-requested-with header along with the Access-Control-Allow-Headers header.

As far as I understand, this is due to the response of the OPTION request and answer to static.data.gouv.fr which does not contain the correct header:

request:

> Access-Control-Request-Headers: authorization,x-requested-with

response:

> Access-Control-Allow-Headers: Origin,Authorization,Accept,DNT,User-Agent,If-Modified-Since,Cache-Control,Content-Type,Range

I don't understand why is there this authorization header as I'm not using any credential to retrieve this static public resource:

var globalSubscribedCalendars={
       hrefLabel: 'Subscribed',
       calendars: [
               {
                       href: 'https://static.data.gouv.fr/resources/le-cal endrier-scolaire-format-ical/20200907-153336/zones-a-b-c-2019-2020.ics',
                       userAuth: {
                               userName: '',
                               userPassword: ''
                       },
                       typeList: ['vevent'],
                       ignoreAlarm: true,
                       displayName: 'vacances scolaires',
                       color: '#ff0000'
               }
       ]
};

I can't find any way to fix this issue.

Do you have any idea about that?

Thanks,

Ploc


Le 19/09/2020 à 11:25, Ján Máté a écrit :
Hi Ploc,
yes of course, from the config.js:
   // globalSubscribedCalendars
   // This option specifies a list of remote URLs to ics files (e.g.: used
   // for distributing holidays information). Subscribed calendars are
   // ALWAYS read-only. *Remote servers where ics files are hosted MUST*
   // *return proper CORS headers (see readme.txt) otherwise this
   functionality*
   // *will not work!*
The main problem is related to CORS, because all _javascript_ (XHR) requests are subject of CORS limitations in modern browsers :-/
JM
On 19 Sep 2020, at 00:37, Ploc <pub2021@xxxxxxxxxxxx <mailto:pub2021@xxxxxxxxxxxx>> wrote:

Is there a way to add an additional external ics resource in infcloud config file?

I'm thinking about a static ics read-only calendar, such as holidays calendar:

https://www.data.gouv.fr/fr/datasets/le-calendrier-scolaire-format-ical/#resource-f3071c91-bd33-43e9-9fd5-3d6e3bfe7499 (french school holidays calendar)

Thanks for your answer.