DWR Cross-domain Support

It is possible to use DWR cross-domain (instructions apply to 3.0 RC2 and above) at the compromise of some of the security features of DWR. You must follow these steps:

1. Add the following three parameters to your web.xml:

   <!-- Enables <script> remoting -->
   <init-param>
     <param-name>allowScriptTagRemoting</param-name>
     <param-value>true</param-value>
   </init-param>
   
   <!-- Disables DWR's CSRF protection -->
   <init-param>
     <param-name>crossDomainSessionSecurity</param-name>
     <param-value>false</param-value>
   </init-param>
   
   <!-- Enables GET requests which are necessary for X-domain calls -->
   <init-param>
     <param-name>allowGetForSafariButMakeForgeryEasier</param-name>
     <param-value>true</param-value>
   </init-param> 
   

2. Specify a pathToDwrServlet variable in JavaScript BEFORE engine.js is included:

     <script>
       var pathToDwrServlet = "http://directwebremoting.org/dwr-demo/dwr"; // Path to dwr on foreign domain
     </script>
     <script type='text/javascript' src='http://directwebremoting.org/dwr-demo/dwr/engine.js'> </script>
   

   This is required because DWR makes an initial call to the server when engine.js is loading. If the remote URL is static/known ahead of time this step can be skipped in place of setting the overridePath parameter.


3. Before making a remote call set the _path field on your DWR interface:

     <script>
       Demo._path =  'http://directwebremoting.org/dwr-demo/dwr';
       Demo.sayHello(name, loadinfo); 
     </script>
   

   If the remote URL is static/known ahead of time this step can also be skipped in place of setting the overridePath parameter