Can I use Ajax in the Google App Engine as a registered user via https from the nonappspot.com domain?

Question

Can I use Ajax in the Google App Engine as a registered user via https from the nonappspot.com domain?

Let's pretend that:

You have a website http://www.example.com , which is redirected to a project in the Google App Engine (for example, example.appspot.com);
you want the communication between the user through SSL (i.e. https://example.appspot.com ); and
You want the domain to appear to the user as *: //www.example.com (i.e. not https://example.appspot.com ).

Given that Google Appspot HTTPS support only works for https://example.appspot.com (i.e. you cannot configure https://www.example.com with GAE), I would like to have an Ajax solution, and exactly:

http://www.example.com supports HTML and Javascript via http
Ajax requests go over SSL at https://example.appspot.com

My question / problem: how to ensure that users logged into http://www.example.com (through the Google API users ) pass their credentials for authentication through Ajax to https://example.appspot.com ?

This seems to violate the same origin policy (which may or may not be a problem for the Google APIs of users), so how do you know what the user has registered with example.com for Ajax requests, for example .appspot.com?

Thoughts, comments and input are welcome.

Thanks.

Brian

+4

javascript google-app-engine ajax https same-origin-policy

Brian M. hunt Aug 6 '09 at 17:54

source share

4 answers

Alex martelli · Answer 1 · 2009-08-06T18:03:32+0000

There are ways to work around the same origin when both sites interact, for example. see this post , but only a trial error will reveal which methods work for your specific requirements (this may depend on how strictly the user has set protective measures in his browser, as well as on server implementations).

AutomatedTester · Answer 2 · 2009-08-07T07:45:17+0000

You can try using JSONP to get around this. However, JSONP does not have very good error recovery, for example, JSON when making XHR calls.

Nick johnson · Answer 3 · 2009-08-07T07:43:52+0000

Isn't it easier to use frames? Submit one complete set of frames from your domain containing content from https://yourapp.appspot.com/ .

Please note that in any solution there is a problem that users see an insecure site, not a secure one.

Patrick · Answer 4 · 2009-08-10T07:53:32+0000

example.appspot.com does not transfer cookies from example.com - you will not be able to identify the user without logging in to example.appspot.com as well.

You could, of course, completely disable Google Authentication at example.appspot.com and implement your own scheme; you can add the signature and username to the AJAX requests that you create and verify the signature in the application application. if the signature is valid, just accept the user who was transferred as an authenticated user and pretended to be logged in.

Can I use Ajax in the Google App Engine as a registered user via https from the nonappspot.com domain?

More articles: