DWR Cross-domain Support

It is possible to use DWR cross-domain (instructions apply to 3.0 RC2 and above) at the compromise of some of the security features of DWR. You must follow these steps:

  1. Add the following three parameters to your web.xml:
    <!-- Enables <script> remoting -->
    <init-param>
      <param-name>allowScriptTagRemoting</param-name>
      <param-value>true</param-value>
    </init-param>
    
    <!-- Disables DWR's CSRF protection -->
    <init-param>
      <param-name>crossDomainSessionSecurity</param-name>
      <param-value>false</param-value>
    </init-param>
    
    <!-- Enables GET requests which are necessary for X-domain calls -->
    <init-param>
      <param-name>allowGetForSafariButMakeForgeryEasier</param-name>
      <param-value>true</param-value>
    </init-param> 
    
  2. Specify a pathToDwrServlet variable in JavaScript BEFORE engine.js is included:
      <script>
        var pathToDwrServlet = "http://directwebremoting.org/dwr-demo/dwr"; // Path to dwr on foreign domain
      </script>
      <script type='text/javascript' src='http://directwebremoting.org/dwr-demo/dwr/engine.js'> </script>
    
    This is required because DWR makes an initial call to the server when engine.js is loading. If the remote URL is static/known ahead of time this step can be skipped in place of setting the overridePath parameter.

  3. Before making a remote call set the _path field on your DWR interface:
      <script>
        Demo._path =  'http://directwebremoting.org/dwr-demo/dwr';
        Demo.sayHello(name, loadinfo); 
      </script>
    
    If the remote URL is static/known ahead of time this step can also be skipped in place of setting the overridePath parameter