Support subdomain cross site script query in Simple Pipe.

zhourenjian · zhourenjian · commit 6b153f0bc63e · 2009-02-26T15:13:59.000Z
In the past, setup pipe to sub.main.com from main.com will result in lots of &lt;SCRIPT&gt; loading, and generate lots of "loading-and-loaded" UI changes in browser. And these changes will result in flashing UI experience. And now, such subdomain pipes will be carefully dealt, using permanent &lt;IFRAME&gt; connection or XMLHttpRequest instead. So no flashing "loading" UI.
diff --git a/sources/net.sf.j2s.ajax/ajaxpipe/net/sf/j2s/ajax/SimplePipeHttpServlet.java b/sources/net.sf.j2s.ajax/ajaxpipe/net/sf/j2s/ajax/SimplePipeHttpServlet.java
@@ -79,7 +79,8 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp)
 		if (type == null) {
 			type = SimplePipeRequest.PIPE_TYPE_CONTINUUM;
 		}
-		doPipe(resp, key, type);
+		String domain = req.getParameter(SimplePipeRequest.FORM_PIPE_DOMAIN);
+		doPipe(resp, key, type, domain);
 	}
 
 	/**
@@ -101,7 +102,7 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp)
 	 * type = notify
 	 * Notify that client (browser) still keeps the pipe connection.
 	 */ 
-	protected void doPipe(final HttpServletResponse resp, String key, String type)
+	protected void doPipe(final HttpServletResponse resp, String key, String type, String domain)
 			throws IOException {
 		PrintWriter writer = null;
 		resp.setHeader("Pragma", "no-cache");
@@ -122,6 +123,24 @@ protected void doPipe(final HttpServletResponse resp, String key, String type)
 			writer.write("\");");
 			return;
 		}
+		if (SimplePipeRequest.PIPE_TYPE_SUBDOMAIN_QUERY.equals(type)) { // subdomain query
+			resp.setContentType("text/html; charset=utf-8");
+			writer = resp.getWriter();
+			StringBuffer buffer = new StringBuffer();
+			buffer.append("<html><head><title></title></head><body>\r\n");
+			buffer.append("<script type=\"text/javascript\">");
+			buffer.append("p = new Object ();\r\n");
+			buffer.append("p.originalDomain = document.domain;\r\n");
+			buffer.append("document.domain = \"" + domain + "\";\r\n");
+			buffer.append("p.key = \"" + key + "\";\r\n");
+			buffer.append("var spr = window.parent.net.sf.j2s.ajax.SimplePipeRequest;\r\n");
+			buffer.append("eval (\"(\" + spr.subdomainInit + \") (p);\");\r\n");
+			buffer.append("eval (\"((\" + spr.subdomainLoopQuery + \") (p)) ();\");\r\n");
+			buffer.append("</script>\r\n");
+			buffer.append("</body></html>\r\n");
+			writer.write(buffer.toString());
+			return;
+		}
 		if (SimplePipeRequest.PIPE_TYPE_CONTINUUM.equals(type)) {
 			resp.setHeader("Transfer-Encoding", "chunked");
 		}
@@ -131,6 +150,9 @@ protected void doPipe(final HttpServletResponse resp, String key, String type)
 			StringBuffer buffer = new StringBuffer();
 			buffer.append("<html><head><title></title></head><body>\r\n");
 			buffer.append("<script type=\"text/javascript\">");
+			if (domain != null) {
+				buffer.append("document.domain = \"" + domain + "\";");
+			}
 			buffer.append("function $ (s) { if (window.parent) window.parent.net.sf.j2s.ajax.SimplePipeRequest.parseReceived (s); }");
 			buffer.append("</script>\r\n");
 			writer.write(buffer.toString());
diff --git a/sources/net.sf.j2s.ajax/ajaxpipe/net/sf/j2s/ajax/SimplePipeRequest.java b/sources/net.sf.j2s.ajax/ajaxpipe/net/sf/j2s/ajax/SimplePipeRequest.java
@@ -49,6 +49,11 @@ public class SimplePipeRequest extends SimpleRPCRequest {
 	 */
 	protected static final String PIPE_TYPE_QUERY = "q"; // "query";
 	
+	/**
+	 * Type of pipe request: subdomain-query
+	 */
+	protected static final String PIPE_TYPE_SUBDOMAIN_QUERY = "u"; // "subdomain-query";
+	
 	/**
 	 * Type of pipe request: notify
 	 */
@@ -80,6 +85,11 @@ public class SimplePipeRequest extends SimpleRPCRequest {
 	 */
 	protected static final String FORM_PIPE_TYPE = "t"; // "pipetype";
 	
+	/**
+	 * Query key for pipe: pipetype
+	 */
+	protected static final String FORM_PIPE_DOMAIN = "d"; // "pipedomain";
+
 	/**
 	 * Query key for pipe: pipernd
 	 */
@@ -464,6 +474,24 @@ static void pipeScript(SimplePipeRunnable runnable) { // xss
 		// only for JavaScript
 	}
 	
+	/**
+	 * @param runnable
+	 * @param domain
+	 * @j2sNative
+var ifr = document.createElement ("IFRAME");
+ifr.style.display = "none";
+var pipeKey = runnable.pipeKey;
+var spr = net.sf.j2s.ajax.SimplePipeRequest;
+var url = runnable.getPipeURL();
+ifr.src = url + (url.indexOf('?') != -1 ? "&" : "?") 
+		+ spr.constructRequest(pipeKey, spr.PIPE_TYPE_SUBDOMAIN_QUERY, true)
+		+ "&" + spr.FORM_PIPE_DOMAIN + "=" + domain;
+document.body.appendChild (ifr);
+	 */
+	static void pipeSubdomainQuery(SimplePipeRunnable runnable, String domain) {
+		// only for JavaScript
+	}
+	
 	static void pipeNotify(SimplePipeRunnable runnable) { // notifier
 		String url = runnable.getPipeURL();
 		loadPipeScript(url + (url.indexOf('?') != -1 ? "&" : "?")
@@ -504,25 +532,7 @@ public void onLoaded() {
 				 * @j2sNative
 				 * if (window == null || window["net"] == null) return;
 				 */ {}
-				String responseText = pipeRequest.getResponseText();
-				if (responseText != null) {
-					String retStr = parseReceived(responseText);
-					if (retStr != null && retStr.length() > 0) {
-						String destroyedKey = PIPE_STATUS_DESTROYED;
-						if (retStr.indexOf(destroyedKey) == 0) {
-							int beginIndex = destroyedKey.length() + 1;
-							String pipeKeyStr = retStr.substring(beginIndex, beginIndex + PIPE_KEY_LENGTH);
-							SimplePipeRunnable pipe = SimplePipeHelper.getPipe(pipeKeyStr);
-							if (pipe != null) {
-								pipe.pipeAlive = false;
-								pipe.pipeClosed();
-								SimplePipeHelper.removePipe(pipeKeyStr);
-							}
-							//SimplePipeHelper.removePipe(pipeKeyStr);
-						}
-					}
-				}
-				
+				onPipeDataReceived(pipeRequest.getResponseText());
 				/**
 				 * @j2sNative
 				 * net.sf.j2s.ajax.SimplePipeRequest.lastQueryReceived = true;
@@ -541,6 +551,26 @@ public void onLoaded() {
 		sendRequest(pipeRequest, pipeMethod, pipeURL, pipeRequestData, async);
 	}
 
+	static void onPipeDataReceived(String responseText) {
+		if (responseText != null) {
+			String retStr = parseReceived(responseText);
+			if (retStr != null && retStr.length() > 0) {
+				String destroyedKey = PIPE_STATUS_DESTROYED;
+				if (retStr.indexOf(destroyedKey) == 0) {
+					int beginIndex = destroyedKey.length() + 1;
+					String pipeKeyStr = retStr.substring(beginIndex, beginIndex + PIPE_KEY_LENGTH);
+					SimplePipeRunnable pipe = SimplePipeHelper.getPipe(pipeKeyStr);
+					if (pipe != null) {
+						pipe.pipeAlive = false;
+						pipe.pipeClosed();
+						SimplePipeHelper.removePipe(pipeKeyStr);
+					}
+					//SimplePipeHelper.removePipe(pipeKeyStr);
+				}
+			}
+		}
+	}
+
 	/**
 	 * Create pipe connection for the SimplePipeRunnable.
 	 * In Java, customized HttpRequest object is used to create Comet connection.
@@ -559,8 +589,11 @@ public void onLoaded() {
 var pipeKey = runnable.pipeKey;
 var spr = net.sf.j2s.ajax.SimplePipeRequest;
 var url = runnable.getPipeURL();
+var subdomain = arguments[1];
 ifr.src = url + (url.indexOf('?') != -1 ? "&" : "?") 
-		+ spr.constructRequest(pipeKey, spr.PIPE_TYPE_SCRIPT, true);
+		+ spr.constructRequest(pipeKey, spr.PIPE_TYPE_SCRIPT, true)
+		+ (subdomain == null ? ""
+				: "&" + spr.FORM_PIPE_DOMAIN + "=" + subdomain);
 document.body.appendChild (ifr);
 var threadFun = function (pipeFun, key) {
 		return function () {
@@ -762,12 +795,28 @@ static void ajaxPipe(final SimplePipeRunnable runnable) {
 		 * Here in JavaScript mode, try to detect whether it's in cross site
 		 * script mode or not. In XSS mode, <SCRIPT> is used to make requests. 
 		 */
-		boolean isXSS = isXSSMode(runnable.getPipeURL());
+		String pipeURL = runnable.getPipeURL();
+		boolean isXSS = isXSSMode(pipeURL);
+		boolean isSubdomain = false;
+		if (isXSS) {
+			isSubdomain = isSubdomain(pipeURL);
+		}
 
-		if (!isXSS && pipeMode == MODE_PIPE_CONTINUUM)
+		if ((!isXSS || isSubdomain) && pipeMode == MODE_PIPE_CONTINUUM)
 			/**
 			 * @j2sNative
-			 * net.sf.j2s.ajax.SimplePipeRequest.pipeContinuum (runnable);
+			 * var subdomain = null;
+			 * if (isSubdomain) {
+			 * 	subdomain = window.location.host;
+			 * 	if (subdomain != null) {
+			 * 		var idx = subdomain.indexOf (":");
+			 * 		if (idx != -1) {
+			 * 			subdomain = subdomain.substring (0, idx);
+			 * 		}
+			 * 		document.domain = subdomain; // set owner iframe's domain
+			 * 	}
+			 * }
+			 * net.sf.j2s.ajax.SimplePipeRequest.pipeContinuum (runnable, subdomain);
 			 */
 		{
 			//pipeQuery(runnable, "continuum");
@@ -779,6 +828,20 @@ public void run() {
 		} else
 			/**
 			 * @j2sNative
+if (isXSS && isSubdomain
+ 		&& net.sf.j2s.ajax.SimplePipeRequest.isSubdomainXSSSupported ()) {
+	var subdomain = null;
+	subdomain = window.location.host;
+	if (subdomain != null) {
+		var idx = subdomain.indexOf (":");
+		if (idx != -1) {
+			subdomain = subdomain.substring (0, idx);
+		}
+		document.domain = subdomain; // set owner iframe's domain
+	}
+	net.sf.j2s.ajax.SimplePipeRequest.pipeSubdomainQuery (runnable, subdomain);
+	return;
+}
 var spr = net.sf.j2s.ajax.SimplePipeRequest;
 spr.lastQueryReceived = true;
 if (spr.queryTimeoutHandle != null) {
@@ -817,4 +880,135 @@ public void run() {
 		}
 	}
 
+	/**
+	 * For early version of Firefox (<1.5) and Opera (<9.6), subdomain XSS
+	 * query may be unsupported.
+	 * 
+	 * @return whether subdomain XSS is supported or not.
+	 * 
+	 * @j2sNative
+	var dua = navigator.userAgent;
+	var dav = navigator.appVersion;
+	if (dua.indexOf("Opera") != -1 && parseFloat (dav) < 9.6) {
+		return false;
+	}
+	if (dua.indexOf("Firefox") != -1 && parseFloat (dav) < 1.5) {
+		return false;
+	}
+	if (dua.indexOf("MSIE") != -1 && parseFloat (dav) < 6.0) {
+		return false;
+	}
+	return true;
+	 */
+	static boolean isSubdomainXSSSupported() {
+		return true;
+	}
+	
+	/**
+	 * 
+	 * @param p
+	 * @j2sNative
+p.initParameters = function () {
+	this.parentDomain = document.domain;
+	this.pipeQueryInterval = 1000;
+	this.lastQueryReceived = true;
+	this.runnable = null;
+	var oThis = this;
+	with (window.parent) {
+		var sph = net.sf.j2s.ajax.SimplePipeHelper;
+		var spr = net.sf.j2s.ajax.SimplePipeRequest;
+		this.runnable = sph.getPipe(this.key);
+		this.pipeQueryInterval = spr.getQueryInterval ();
+	}
+};
+p.initHttpRequest = function () {
+	this.xhrHandle = null;
+	if (window.XMLHttpRequest) {
+		this.xhrHandle = new XMLHttpRequest();
+	} else {
+		try {
+			this.xhrHandle = new ActiveXObject("Msxml2.XMLHTTP");
+		} catch (e) {
+			this.xhrHandle = new ActiveXObject("Microsoft.XMLHTTP");
+		}
+	}
+	var oThis = this;
+	this.xhrHandle.onreadystatechange = function () {
+		var state = oThis.xhrHandle.readyState;
+		if (state == 4) {
+			var pipeData = oThis.xhrHandle.responseText;
+			oThis.xhrHandle.onreadystatechange = function () {};
+			oThis.xhrHandle = null;
+			document.domain = oThis.parentDomain;
+			oThis.lastQueryReceived = true;
+			with (window.parent) {
+				var sph = net.sf.j2s.ajax.SimplePipeHelper;
+				var spr = net.sf.j2s.ajax.SimplePipeRequest;
+				spr.onPipeDataReceived (pipeData);
+				oThis.runnable = sph.getPipe (oThis.key);
+			}
+		}
+	};
+};
+p.pipeXHRQuery = function (request, method, url, data) {
+	if ("GET" == method.toUpperCase ()) {
+		request.open (method, url + (url.indexOf ('?') != -1 ? "&" : "?") + data, true, null, null);
+		data = null;
+	} else {
+		request.open (method, url, true, null, null);
+	}
+	request.setRequestHeader ("User-Agent",
+			"Java2Script-Pacemaker/2.0.0 (+http://j2s.sourceforge.net)");
+	if (method != null && method.toLowerCase () == "post") {
+		request.setRequestHeader ("Content-type", 
+				"application/x-www-form-urlencoded");
+		if (request.overrideMimeType) {
+			request.setRequestHeader ("Connection", "close");
+		}
+	}
+	request.send(data);
+};
+p.initParameters ();
+	 */
+	static void subdomainInit(Object p) {
+		// for JavaScript only
+	}
+	
+	/**
+	 * 
+	 * @param p
+	 * @j2sNative
+return function () {
+	if (p.runnable != null) {
+		if (p.lastQueryReceived) {
+			p.lastQueryReceived = false;
+			var method = null;
+			var url = null;
+			var data = null;
+			with (window.parent) {
+				method = p.runnable.getPipeMethod ();
+				url = p.runnable.getPipeURL ();
+				var spr = net.sf.j2s.ajax.SimplePipeRequest;
+				data = spr.constructRequest(p.key, spr.PIPE_TYPE_QUERY, true);
+			}
+			try {
+				document.domain = p.originalDomain;
+			} catch (e) {};
+			p.initHttpRequest ();
+			try {
+				p.pipeXHRQuery (p.xhrHandle, method, url, data);
+			} catch (e) {
+				p.xhrHandle.onreadystatechange = function () {};
+				p.xhrHandle = null;
+				document.domain = p.parentDomain;
+				p.lastQueryReceived = true;
+			}
+		}
+		window.setTimeout (arguments.callee, p.pipeQueryInterval);
+	}
+};
+	 */
+	static void subdomainLoopQuery(Object p) {
+		// for JavaScript only
+	}
 }
diff --git a/sources/net.sf.j2s.ajax/ajaxrpc/net/sf/j2s/ajax/SimpleRPCRequest.java b/sources/net.sf.j2s.ajax/ajaxrpc/net/sf/j2s/ajax/SimpleRPCRequest.java
@@ -197,6 +197,10 @@ protected static String adjustRequestURL(String method, String url, String seria
 	if (idx4 != -1) {
 		locHost = locHost.substring (0, idx4);
 	}
+	if (arguments.length == 2) { // check subdomain
+		return host.indexOf ("." + locHost) != -1 && locPort == port
+				&& loc.protocol == protocol && loc.protocol != "file:";
+	}
 	return (locHost != host || locPort != port
 			|| loc.protocol != protocol || loc.protocol == "file:");
 }
@@ -206,6 +210,16 @@ protected static boolean isXSSMode(String url) {
 		return false;
 	}
 	
+	/**
+	 * Check that whether it is a subdomain of current location.
+	 * @param url
+	 * @return
+	 * @j2sNative
+	 * return net.sf.j2s.ajax.SimpleRPCRequest.isXSSMode(url, true);
+	 */
+	protected static boolean isSubdomain(String url) {
+		return false;
+	}
 	/**
 	 * Check cross site script. Only make senses for JavaScript.
 	 * 
