[Chameleon] BoundingBoxPopup error

Mon Dec 20 11:09:37 EST 2004

Daniel has pointed out that I am actually wrong about the source of this 
issue, it actually doesn't have anything to do with the session code, it 
is a browser security constraint that prevents scripting between windows 
that apparently come from different hosts.

There may also be a technical solution to this, which would be to 
rewrite the host part of the URL coming from the chameleon.xml (if it 
exists).

Sorry for the misleading comments,

Paul

Paul Spencer wrote:
> Scott,
> 
> this problem is not easily solved.  Chameleon session management 
> attempts to prevent session hijacking (or fixation) for security reasons 
> ... what this means is that when you start a session, the URL that you 
> connected from is recorded in the session.  When subsequent requests 
> arrive, the current URL is tested against the one in the session.  If 
> they don't match, the session is immediately terminated.
> 
> When you include an absolute URL in the chameleon.xml file, this has a 
> strange side effect because the session will record the URL that the 
> user used to connect, but popups are launched using the URL from 
> chameleon.xml.  If they aren't the same, you end up with this problem.
> 
> If you use a relative URL, then chameleon figures out the right host for 
> popups from the URL the user is using.
> 
> I think this is primarily a documentation issue, the way this works 
> should be left as-is to allow for tighter security, but it should be 
> clearly documented somewhere what the implications of using different 
> configurations in chameleon.xml are.
> 
> Thanks for finding this out and reporting it on the list.  Until you 
> brought this up, I hadn't really realized that this would happen.  Seems 
> obvious now ;)
> 
> Cheers,
> 
> Paul
> 
> Tweedy, Scott wrote:
> 
>> OK this problems seems to be solved, but in solving it I have to ask if
>> anyone else has run into the same issue.
>>
>> I'm running Chameleon 1.99 on a Linux box.  In my chameleon.xml
>> configuration file I defined the web_server_path variable as the absolute
>> path to chameleon using the IP address of the computer ie:
>>
>> <param-name>web_server_path</param-name>
>> <param-value>http://111.222.333.444/chameleon/</param-value>
>>
>> When I was testing in Netscape and IE I used the server name in the 
>> URL ie:
>> http://servername/applicationName
>>
>> and the BoundingBoxPopup produced the JavaScript exception errors 
>> listed in
>> the original e-mail and the BoudingBoxPopup widget wouldn't work 
>> properly.
>> When someone tested the application using the IP address of the 
>> computer in
>> the URL ie:
>> http://111.222.333.444/applicationName
>>
>> everything worked properly.  It seems that Chameleon is reading the 
>> absolute
>> path from the XML and if it doesn't match exactly (I did some other
>> variations) then these JavaScript errors occur.  I've since changed the
>> web_server_path variable to the relative value of "/chameleon/" and 
>> things
>> seem to work correctly.
>>
>> Has anyone else had this problem with IP address v. server name or alias?
>>
>> st
>>
>> -----Original Message-----
>> From: chameleon-bounces at lists.maptools.org
>> [mailto:chameleon-bounces at lists.maptools.org]On Behalf Of Tweedy, Scott
>> Sent: Wednesday, October 06, 2004 1:28 PM
>> To: 'chameleon at lists.maptools.org'
>> Subject: [Chameleon] BoundingBoxPopup error
>>
>>
>> I'm getting an error when I'm trying to use the BoundingBoxPopup widget.
>> The widget seems to open fine when In click on its button, but in the the
>> JavaScript Console I get the following error:
>>
>> Error: uncaught exception: Permission denied to get property
>> Window.getMapExtents
>>
>> When I enter coordinates in any of the boxes and click Zoom, nothing 
>> happens
>> and I get this error in the JavaScript Console:
>>
>> Error: uncaught exception: Permission denied to get property
>> Window.applyBoundingBox
>>
>> Any ideas on why this might happen?
>>
>> Thanks in advance,
>> st
>> _______________________________________________
>> Chameleon mailing list
>> Chameleon at lists.maptools.org
>> http://lists.maptools.org/mailman/listinfo/chameleon
>> _______________________________________________
>> Chameleon mailing list
>> Chameleon at lists.maptools.org
>> http://lists.maptools.org/mailman/listinfo/chameleon
>>
> 

-- 
+-----------------------------------------------------------------+
|Paul Spencer                           pspencer at dmsolutions.ca   |
+-----------------------------------------------------------------+
|Applications & Software Development                              |
|DM Solutions Group Inc                 http://www.dmsolutions.ca/|
+-----------------------------------------------------------------+