1 (edited by ryan 2014-01-11 23:35:32)

Topic: IE 8/9 cross-domain (CORS) support

I'm posting this in the Pro forum as I'm a Pro user, but I believe this topic should apply to both the Lite and Pro versions.

Given that Juicebox galleries are described in XML the are by nature quite portable. This makes them very friendly to "Create Once Publish Anywhere" (COPE) concepts, as a gallery (i.e., its XML) can be managed on one server but shown/embedded on another. Of course, if doing this "same origin policies" must be taken into account when hosting the XML on a domain that's different from the one the gallery is embedded in. In this regard CORS seems to be the best practice, and adding an "Access-Control-Allow-Origin" response header when the XML is served seems to work as expected when embedding a gallery in one domain and hosting its XML in another.

However, a problem arises if viewing such a gallery in IE 8 or 9. It seems that IE 8 and 9 don't support CORS 100% correctly. So even if the XML is fetched from a (different) domain that adds a header like "Access-Control-Allow-Origin: *", Juicebox will still not load the XML as it gets incorrectly blocked by the browser's security controls.

As the Juicebox code is not open I can only guess on why this might be. Perhaps it is because you are using XMLHTTPRequest to get the XML? For IE 8 and 9 it seems that the recommended technique is to use XDomainRequest instead, as this will correctly support CORS. See: http://blogs.msdn.com/b/ieinternals/arc … ounds.aspx

IE 8 and 9 are fairly old now, but given that Juicebox is suppose to support them I wonder if you also have interest in ensuring everything works with CORS. I'm sure you have some browser-detection backed into your code, so perhaps that needs to conditionally use XDomainRequest instead of XMLHTTPRequest when IE 8 or 9 is detected? At the moment at least (as of v1.3.3), it seems like this is not happening.

I'm not an expert on this topic, and am only basing all this on observation and testing. It would just be interesting to know more about what level of cross-browser CORS support has been included in Juicebox.

Cheers

Re: IE 8/9 cross-domain (CORS) support

Juicebox does have CORS support and does use browser detection but, as far as I am aware, does not use XDomainRequest which may well be the key to having CORS support for IE8 and IE9.
Thank you for your post. I have notified the developers.

3 (edited by ryan 2014-01-12 03:22:03)

Re: IE 8/9 cross-domain (CORS) support

Great, thanks. It's great to see that CORS concepts are already considered. Hopefully any missing IE 8 and 9 support would be a simple adjustment. I think that anything <IE 8 is a lost cause for CORS, as support for that may be impossible. Thankfully anything <IE 8 is going out of style fast.

Re: IE 8/9 cross-domain (CORS) support

Hi Ryan,

are you saying that cross-domain galleries do not run on IE8 + IE9? Do you have an example URL?

thanks,

- Felix

Re: IE 8/9 cross-domain (CORS) support

Sure, here's a quick demonstrative example:

http://li321-141.members.linode.com/temp/index.html

The embed code there calls upon XML that's hosted in a different domain: http://www.ryan-jacobs.net/juicebox/xml … e_1/Nature ... When the XML is served up a "Access-Control-Allow-Origin: *" response header is included (which is obviously critical to allow CORS to work).

In that example everything works great on modern browsers, but fails on IE8 (and presumably 9), with the "XML Not Found" Juicebox grey screen of death. Direct requests to the XML work fine in all browsers. Given that IE8/9 require special considerations to implement CORS support (as noted in my comments above) I figured that must be the root of the issue.

Btw, I don't personally requite CORS support for any of my own projects, but I do maintain a Juicebox integration module project for Drupal which has become quite popular. I discovered this issue while testing various features and configurations for that project that other Drupal users are interested in.

Re: IE 8/9 cross-domain (CORS) support

Many thanks for providing the sample gallery.
I have been able to replicate the problem in a test gallery and have logged a bug report.
The problem is that Juicebox uses jQuery and jQuery does not include XDomainRequest support. Please see this jQuery bug report for further details.

7 (edited by ryan 2014-02-02 01:04:05)

Re: IE 8/9 cross-domain (CORS) support

OK, thanks. I think that makes sense.

Given that jQuery is used within the internal Juicebox logic, I'm curious how it gets included. Manually including a jQuery library is not a dependency for Juicebox to work, and it does not look like Juicebox makes any external requests to fetch/include any version of jQuery from a remote server at runtime. Does this mean that a jQuery library of some sort is actually bundled inside of juicebox.js itself?

Just curious.

Ryan

Re: IE 8/9 cross-domain (CORS) support

Does this mean that a jQuery library of some sort is actually bundled inside of juicebox.js itself?

Yes. The 'juicebox.js' file contains its own version of jQuery so there is no need to include jQuery separately in a gallery's web page for a Juicebox gallery to function correctly.
If your own web page uses jQuery for other things , it would be wise to include the current stable version of jQuery in your web page rather than relying on the version bundled within 'juicebox.js' (which may not contain all the jQuery functionality your web page requires).