This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Ways to circumvent the same-origin policy
Is there anyway to get content from external site for example i want to get content from url http://www.readwriteweb.com/ in client site by using Javascript or JQuery
Unless the site is set up to allow cross-origin requests, you can't access the DOM of another site for security reasons.
This is known as the Same origin policy. There are a number of ways around it if you control the server.
The other option is to pull the data yourself server-side and deliver this to the client from your domain.
Here are two options:
Use an iframe to embed a web page of the external site in your page. You can only embed an entire page, including all its advertising and navigation sites, but on some external sites you can find versions of the page intended for mobile or for printing that might look reasonable when embedded.
Use a public CORS proxy. The only one I have found is http://www.corsproxy.com/ . Personally I am suspicious of that site as there is no TOC, privacy policy, or even any indication of who runs the site. However if yours is some small project, where you don't care about privacy, security, reliability, or scaling you might try it. Here is an example of usage adapted from the site:
$.get(
'http://www.corsproxy.com/en.wikipedia.org/wiki/Http',
function(response) { document.body.innerHTML = response; });
If your external site is not in the same domain as your site then No. I would suggest you to use JSONP objects to send/receive between sites in different domain.
Related
I need to incorporate in my web application some content from an external dynamic web page on which I have no control.
Then I need to filter some of the content of this page or to hide it for presenting only the relevant part that is interesting for my use.
I need also that the scripts on the external page are still working on the source site of the loaded content without cross-site protection.
Is all that possible? How can I do it? Any code example, please?
I suppose that this can be made with JS on client side .
I work on back side and these themes are quite extraneous to me, please don't blame me.
No, it is not possible.
Browser same-origin policy is designed to prevent malicious websites from doing evil.
Same-origin Policy restricts JavaScript network access to prevent evil.
Same-origin Policy also restricts script API Access to prevent evil.
From the Docs:
JavaScript APIs like iframe.contentWindow, window.parent, window.open, and window.opener allow documents to directly reference each other. When two documents do not have the same origin, these references provide very limited access to Window and Location objects.
To communicate between documents from different origins, use window.postMessage.
— MDN Web Security Reference - Cross-origin script API access
One can not use <iframe> elements as a way to "avoid cross site problems". The Same Origin Policy was created to protect users from evil web pages.
I want to get the XPATH of an element on a website (my own domain), which I got it using JavaScript code as mentioned in this answer.
Now what I want to click on button which will open a url (cross domain) window and when user click on an element on that window it's XPATH is captured.
I tried doing the same using iframe with no luck.
Now my question is there a way to get the XPATH of an element of another website/ Cross domain?
Sorry this is not possible without cooperation from the other (x-domain) site. Browsers are designed not to allow access to the DOM of x-domain documents (iframe included) for security reasons.
If you had cooperation from the other site, they could load your javascript file and then use postmessage to pass the xpath to the original page.
Other options would be to create a bookmarklet users could use on the other page, or a browser extension (Chrome and FF are pretty easy to develop for)... depends on your use case.
From your comments, I've gathered that you want to capture information from another website that doesn't have Access-Control-Allow-Origin headers that include your domain (e.g. the other site does not have CORS enabled). This is not possible to do cross-domain and client-side due to the Same-Origin Policy implemented in most modern browsers. The Same-Origin Policy prevents any resources on your site from interacting with resources on any other site (unless the other site explicitly shares them with your site using the Access-Control-Allow-Origin HTTP header).
If you want to get information about another site from your site, there is no way around using server-side code. A simple solution would be to implement a server-side proxy that re-serves off-site pages from your own origin, so the Same-Origin Policy will not be violated.
You may get the data using jQuery's load function, and append it to your page.
From there, the DOM nodes from your external page should be accessible for your processing.
$('#where-you-want').load('//example.com body', function() {
console.log($('#where-you-want'))
// process the DOM node under `#where-you-want` here with XPath.
})
You can see this in action here: http://jsfiddle.net/xsvkdugo/
P.S.: this assumes you are working with a CORS-enabled site.
This question already has answers here:
Ways to circumvent the same-origin policy
(8 answers)
Closed 8 years ago.
I'm making a glue script for in php stitching together two pieces of software (IBM's TNPM and Network Weathermap). To get weathermaps OVERLIBGRAPH functionality working i need the url of the graphs that TNPM produces (which are PNGs).
Now TNPM does not seem to have an API to do it, nor are the urls for these graphs very predictable. I dont know much about TNPM, so I might be wrong here. So im treating it as a web application and I try to scrape the graph url from a page which contains this graph.
however my script is on a firewalled server and normally gets its input via a dump. it cannot really access TNPM (by this I mean I cannot use a proxy solution). my boss tells me that opening the firewall so my glue script can access the TNPM server like a normal user is going to take a long time.
So I'm hoping to use javascript to scrape the page from inside the users browser (which presumably is logged in to TNPM). however I am going to run into the same origin policy this way.
it needs to work in internet explorer 8. other browsers cannot get the graphs i want directly (probably due to some sniffer on TNPM banning other browsers).
I dont know a solution, but maybe anyone know a way around the cross origin policy which might work in this case?
update: the problem will be solved from the server side by opening the firewall. So I dont need an answer anymore, although i'd still appreciate it.
I would try the following article which looks promising, from: Mads Kristensen
Basically, it's taking advantage of the breach to change document.domain via JavaScript and allow communication between an iframe and its parent that are on the same domain, by using a proxy server that points to the IP of the website you want to pull data from.
E.G:
Site domain - a.mysite.com
"Other" domain - www.articles.com
The proxy server domain - b.mysite.com (points to "www.articles.com" IP, as an A record in the DNS)
Usage:
a.mysite.com implements an iframe with src="b.mysite.com" and sets document.domain = "mysite.com"
b.mysite.com sets document.domain = "mysite.com"
Is there any way to send HTTP requests to non-cooperating websites with javascript? I'm aware that this is forbidden because of the same origin policy, but is there any way to do it, including experimental APIs, Java applets, Flash, browser extensions, hidden settings, special certificates etc.? It's fine if the user explicitly has to grant my page permissions to access the other site, in fact that would be very reasonable.
Background: I'm trying to do a kind of mash-up by scraping several site's html, and I would like to do it from the user's IP address and not from my server.
Just a thought - If any of those websites use JQuery - this tunneling mehod might work:
http://benv.ca/2011/3/7/subdomain-tunneling-with-jquery-and-document-domain/
Create an iframe in a page on your site, load the page from the other website into it, replace your page's jquery ajax object with the one from the iframe - and you could be good to go!
Let me know if you try it :)
I apologize if this has been asked before. I searched but did not find anything. It is a well-known limitation of AJAX requests (such as jQuery $.get) that they have to be within the same domain for security reasons. And it is a well-known workaround for this problem to use iframes to pull down some arbitrary HTML from another website and then you can inspect the contents of this HTML using javascript which communicates between the iframe and the parent page.
However, this doesn't work on the iPhone. In some tests I have found that iframes in the Safari iPhone browser only show content if it is content from the same site. Otherwise, they show a blank content area.
Is there any way around this? Are there other alternatives to using iframes that would allow me to pull the HTML from a different domain's page into javascript on my page?
Edit:
One answer mentioned JSONP. This doesn't help me because from what I understand JSONP requires support on the server I'm requesting data from, which isn't the case.
That same answer mentioned creating a proxy script on my server and loading data through there. Unfortunately this also doesn't work in my case. The site I'm trying to request data from requires user login. And I don't want my server to have to know the user's credentials. I was hoping to use something client-side so that my app wouldn't have to know the user's credentials at the other site.
I'm prepared to accept that there is no way to accomplish what I want to do on the iPhone. I just wanted to confirm it.
You generally can NOT inspect the contents of an iframe from another domain via JavaScript. The most common answers are to use JSONP or have your original server host a proxy script to retrieve the inner contents for you.
Given your revisions, without modification or support from the secondary site, you are definitely not going to be able to do what you want via the iPhone's browser.
"In some tests I have found that iframes in the Safari iPhone browser only show content if it is content from the same site"
I found the same thing. Is this documented somewhere? Is there a workaround? This sounds like broken web standards to me, and I am wondering if there is a solution.