After configuring the webservice-server to support CORS by adding
Header set Access-Control-Allow-Origin "*"
to the apache virtual host conf, a new problem occured.
I call the webservice using jquery 1.5:
$.ajax( {
type: "GET",
url: wsBaseUrl + "?action=xyz",
dataType: "json",
success: function(data){
wsCallback(data);
}
});
This one works cross-domain with the adapted server config. However if the webservice needs authentication, which is the case on production system, it breaks again.
For authentication I add the jquery ajax params
username: "userx",
password: "passx",
Authentication alone (not cross-domain) works. But as soon as it's combined (authentication + cross-domain), it's over. jQuery invokes the error-callback telling me that the request is not allowed. I logged the requests with TamperData in Firefox and no webservice request is logged there. It may however be that a so called preflight is not logged there (but if so, why does that depend on authentication?).
I tried all combinations on my test-system and I'm quite sure that's the correct conclusion.
Now I'm really stuck. What else can I do to debug / work around this?
According to the MDC, simple GET requests are NOT preflighted but in the case of credentialed requests (like when you add the username, password in your example), the server MUST respond with Access-Control-Allow-Credentials: true in order for FF 1.5+ to allow the request to complete.
Update