Servlet doOptions() For CORS Preflight Check

The following code sample adds a doOptions method within a servlet and sends the appropriate headers in response to a CORS preflight request.

A CORS preflight request is a HTTP OPTIONS request that most browsers send prior to making an AJAX-JSONP call. The browser expects a series of access control headers stating if the server allows cross-domain information sharing. The settings in the code below will fit the needs of the vast majority of AJAX-JSONP applications.

public void doOptions(HttpServletRequest req, HttpServletResponse resp)
        throws IOException {
    //The following are CORS headers. Max age informs the 
    //browser to keep the results of this call for 1 day.
    resp.setHeader("Access-Control-Allow-Origin", "*");
    resp.setHeader("Access-Control-Allow-Methods", "GET, POST");
    resp.setHeader("Access-Control-Allow-Headers", "Content-Type");
    resp.setHeader("Access-Control-Max-Age", "86400");
    //Tell the browser what requests we allow.
    resp.setHeader("Allow", "GET, HEAD, POST, TRACE, OPTIONS");
}

Setting SPF For Your Domain

Sender Policy Framework (SPF) is a way to validate outgoing mail; it essentially allows a domain to say, “only these named servers are allowed to send mail under my name; any other servers attempting to do so may be malicious or may be sending spam.” If you send mail from your domain, it’s important to set SPF rules so receiving domains know that your mail is valid and isn’t spam.

To create your SPF record, visit the SPF website and figure out the appropriate SPF record for your domain. Then place it as a TXT record in your domain’s DNS.

As an example, my domain sends no mail so the appropriate SPF record is:

v=spf1 -all

If you have NameCheap as your domain registrar, here’s how to set an SPF record. First, log in and click the link All Host Records:

Put in the following settings:

Host Name: @
IP Address: v=spf1 -all
Record Type: TXT
TTL: 1800

Here’s how it looks like on the administration console:

If you use a different domain registrar there should be similar options. If not, contact your registrar for the appropriate steps to take.

Google Error Page

A few weeks ago I wrote a post about how designing good error pages is important for UX. For another demonstration of a good error page, look at Google’s 404 error page:

And here’s a closeup of the robot:

It’s a simple, straightforward error page. It explains the error, pokes fun at the problem with a broken robot picture, and links the user to the root page (the Google logo links to the Google home page).

YouTube Error Page

When designing web sites it’s always important to make every page – even error pages – user friendly. As an example, here’s a picture of YouTube’s error page. The reference to highly trained monkeys always makes me laugh.

Adding a domain alias

I was trying to add a subdomain off of this domain (learntogoogleit.com) to my Google Apps, but apparently this isn’t allowed:

Google Apps won’t let you put in any domain that contains the word google. Blogger doesn’t allow it either. Amusingly enough, it does allow domains with competitor names in them, such as bing or microsoft.