I am trying to implement religious calendar for my client's website. I have service that gets xml/json data of calendar that is on another domain. Link works, but when I try get it from jQuery get method it success but there is no data
$( document ).ready(function() {
$.get('http://api.xhanch.com/islamic-get-prayer-time.php?lng=16.047624400000018&lat=45.78988090000001&yy=2014&mm=11&gmt=1&m=xml', function(data) {
alert(data);
});
});
For now, request is only from localhost but, I thing, it is not matter. So, is there an error or there is another way to get this data? I tried jQuery.ajax() but it is the same. The request succeeds but there is no data to alert.
Web browsers block AJAX requests to different domains due to security reasons unless "Access-Control-Allow-Origin" headers are set in the response from the server. When an AJAX request is coming from users, web browsers checks if the target domain is same or not. If the target domain is the same, the request is sent. Otherwise the browser sends a different request to the remote server and checks the corresponding response for the headers. If the headers contains the permission for cross domain requests, the browser sends the user's AJAX request to the remote server. Otherwise browser blocks it... The server you are sending the request seems not to be setting the headers and because of that the browsers don't allow.
As an alternative you can create a proxy at your server side. The request from the users will be sent to your server with the same domain. Then your server will send the request to the remote server (api.xhanch.com) and get the response. Then you can reply the user's response with the response you got from the remote server.
Also there are some methods to relax the same origin policy (Eg: JSONP). You may google and learn them..
Related
I've developed a plugin for a web site, for the sake of this post let's call it www.somesite.com
The plugin has authorization page on my website, let's call it www.mysite.com, which returns cookie upon authorization, which I obviously want to use in subsequent requests to www.mysite.com.
The plugin uses dynamic rules to change Access-Control-Allow-Origin on request to www.somesite.com to "*", so cross-origin requests can be sent from the page to www.mysite.com. However cookies of www.mysite.com are not passed automatically with the request when I send requests from plugin's injected code using XMLHttpRequest. As I understand this is intended browser behavior to prevent "stealing" cookies via cross origin requests, and cookies are only passed if the request is originated from the browser itself.
Question is, is there a way around this? Obviously I'm not trying to steal your cookies :) I just need the cookies of www.mysite.com to be sent automatically in XHR requests I send from the webpage on www.somesite.com domain.
I've seen a similar question, but it required to modify response headers of the origin site, which I obviously have no access to, so in my case that solution won't work. I have access to backend of www.mysite.com, front end of www.mysite.com, frontend of www.somesite.com (via script injection via plugin) and NO ACCESS to backend of www.somesite.com.
Thanks!
I am trying to make an API call to a service (on a different domain) and in its response headers, there are some Set-Cookie headers.
And in the response, I have an URL that I need to hit again along with these cookies. But the browser does not seem to respect these cookies and they do not get sent.
Now what I tried to do was, after making the XmlHTTPRequest, I used document.cookie to set the cookies (cookies were also available as part of the API response) along with the domain. And even then the subsequent request (normal http) would not use these cookies.
Now, if I try to visit the page of the actual service, they set cookies in my browser under their domain and now my requests start working properly!
What else I did? I got the cookies and URL from the API response and used cURL to make the request. Voila it worked!
How do I acheive the same with JavaScript. Is it because you cant set cookies for a different domain or something?
Is there a programmatic way in javascript to ignore cookies sent from the server (without changing browser settings).
We use certain plugins on our web server that will randomly update our security cookie. However this causes issues for some of our URLs and we want to ignore those cookies for some cases.
Our security architect recommended we look into this possibility.
example:
1). create ajax request with URL: www.site.com/abc/comtd
2). ignore any cookies that come back in the response
The only way I can think of is to send the AJAX request from a completely different domain. Because the AJAX would be a Cross-Origin Resource Sharing (CORS) request, any response headers would be denied unless the server sends the access-control-allow-origin header. If the AJAX request is not a CORS request, the browser has to respect all Set-cookie headers it receives per the standard.
its not an option in our case to change domains. We need to pass cookies to the server or the requests will not get through security. If we change domains our security cookies would not get passed. What we want is to pass the cookies but ignore any set-cookie response headers for certain URLs.
I think this is not possible on the browser so I am investigating some Apache server plugins like mod_headers. Maybe we can do it on the server itself. Im closing this question and will open another one related to mod_headers.
Just a thought - if you send the request from a WebWorker - I think that is isolated from the main browser context ?
How to send https request to address https://www.googleapis.com/plus/v1/people/me from java script and most important how to get data from server?
I need it to identify users e-mail in my packaged chrome app.
Note that this would violate the same origin policy. Additionally, the whole point of HTTPS is so that the whole page (and request cycle) is secure.
The alternatives would be:
Make the request using JSONP, or
Set up a proxy: let your JS call your own server on the same origin,
which will in turn make an HTTPS request, or
Have an iframe which points to an HTTPS page (on your own server). This page should then be able to make Ajax requests to the server over HTTPS. Using the HTML5 postMessage API, you can then post a message back to the parent window.
I am using jQuery.post() method to send request to another server and get response from that server.
$.post('http://www.example.com:9876/example/myServletURL',{param1:param1}).done(function(data)
{
alert(data);
});
But I am not getting any response from the server. I have checked on server I am getting the request sent by post method.
If change the URL to Servlet which is in same war file(same domain) I am getting the response.
I have searched and found that this might be because of same origin policy.
My question is that how should I allow cross domain request using jQuery.post() method.
EDIT1
Domain is the same one, but the port numbers are different, for two different servers used for deployement.(Apache web server for php and Glassfish for java)
Solution
I have put following code to allow cross domain requests in my servlet.
response.addHeader("Access-Control-Allow-Origin", "*");
You can't change the cross domain request policy in the request, as that would defeat the security purpose of the same origin policy. CORS (Cross Origin Resource Sharing) has to be enabled on the server that sends the response. The response header must contain 'Access-Control-Allow-Origin': '*'. * allows any site to access the server and can be substituted with a single site if you don't want to give access to everyone. If you have control over the server to which you are posting, http://enable-cors.org/index.html is a great resource on how to enable CORS for your request/response.
What I did in a past project was Posted the data to an ASPX page on my own server from jQuery which then Posted the data to the true destination server. This page also Responded back the Response from the destination server.
I called the page PostData.aspx and sent the destination url as an escaped querystring parameter which kept it soft enough to use on other projects.
You can actually allow Cross Domain Requests on your server but be very careful because this is not very security friendly way.
I did this with PHP where you can allow cross domain by sending some headers in the request. You can do the same in PHP.
May be this link can help you => CrossDomain ajax request using CORS
If not let me know in comments.