[x3d-public] Cross origin policies - An example

Vincent Marchetti vmarchetti at ameritech.net
Thu Apr 14 06:38:46 PDT 2016


This is an example of how involved the issues of cross origin policy and CORS (cross-origin resource sharing) can get; specifically from X3D and the Cobweb browser. Since this example seems to involve server downtimes, I should point out that my description of events is from the 7 am- 8 am EDT (1100-1200 UTC) on April 14, 2016 time frame.

I started out wanting to write a quick email to the X3D WG about an application of the Extrusion node, whose spec we've been trying to clarify in the past few weeks (months?). There is an example model labeled Currencies on the Cobweb page I was going to highlight, that uses Extrusion node as part of line graph  of currency exchange rate vs time.

I went to the cobweb page at http://titania.create3000.de/cobweb/ . The example I want is "Currencies", the third choice from the top on Page 1 of the examples list. The model loads, but the plot was flat at zero, and the user-interaction didn't work; normally you can click on a currency and the plot would spring to life.

Here's my recreation of what's going on, and what went wrong:
1. The X3D model is hosted on github, https://github.com/create3000/cobweb/blob/master/cobweb.js/examples/currencies/currencies.x3d
A  secure web browser will not allow javascript on a http://titania.create3000.de page to make an XHR (XmlHttpRequest) to content on https://github.com unless the github server explicitly allowed it through the CORS mechanism. Apparently, Github as a policy will not do this. The workaround is that the URL for this example is actually:
https://rawgit.com/create3000/cobweb/master/cobweb.js/examples/currencies/currencies.x3d

https://rawgit.com is a proxy, it retrieves the underlying file from github, puts appropriate HTTP headers on the content, and also implements the CORS protocol so that my web browser is willing to retrieve it by XHR.

So far, so good; the model loads.

2. But then, in order to display up-to-date currency exchange rates, there is javascript in the currencies.x3d model to retrieve data from http://www.ecb.europa.eu (specifically an XML file at http://www.ecb.europa.eu/stats/eurofxref/eurofxref-hist-90d.xml )
Once again, Chrome would not allow retrieving from this server through XHR.

And again, a proxy comes to the rescue, in this case the proxy is https://crossorigin.me, and the actual URL called by the currencies.x3d script is :
https://crossorigin.me/http://www.ecb.europa.eu/stats/eurofxref/eurofxref-hist-90d.xml

which gets the XML file by alternative method, and delivers it to the X3D script with CORS permission. However, the crossorigin.me server is down, so no currency exchange data gets to the X3D script, and it's lifeless.

So the tricky part to get understand is that both the currencies.x3d file on Github and the xml data on www.europa.eu are intended to be publically available, so there's no backdoor sneaking of private content here; and in fact files are directly retrieved if you just enter their URLs into the brower address bar. It's just that the web browser won't retrieve them through XmlHttpRequest.

Vincent Marchetti
vmarchetti at ameritech.net






More information about the x3d-public mailing list