I need to make a cross domain request from a script that runs in firefox (it's just for development purposes).
Can this be achieved? maybe modifying the about:config keys?
Thanks!
There is a great post by James Padolsey on how to to cross domain requests using jQuery, But the post also has very good resources. There need to be some tweaking to be done on the other server to allow cross domain calls using crossdomain.xml
Opera 10.5 allows for "Allow Cross Domain Access".
A little late, but thought I'd post the info here anyway;
I didn't fully read the links in everyone's answers, but I had a quick look and I didn't see that anyone mentioned using the PrivilegeManager - Bypassing Security Restrictions and Signing Code. Using this you can have your FireFox JavaScript app invoke a request for extended security privileges in the browser, including cross domain XHR.
The Same Origin Policy applies to all browsers. Using javascript you can send GET and POST requests, but you will not be able to read the response like you can with XHR. XHR's can only be done against the domain the script is executing from. This is an important rule as it prevents wide spread Cross Site Request Forgery(CSRF) vulnerabilities.
You can use flash with a crossdomain.xml file and I think this is the most robust solution because it will do exactly what you need and have the best browser compatibility.
EDIT: If you want specifically JavaScript running on Firefox to bypass the Same Origin Policy then you can build a custom add-on. Or perhaps the Cross Domain add-on will do what you need.
cross-site xmlhttprequest with CORS
As mentioned by 'The Rook', you can use Flash to do cross-domain requests provided that the server you're talking to serves an XML policy file granting your server access. If you control both servers that should be easy enough to accomplish.
If you don't want to write any Flash code yourself or if you want to be able to do cross-domain over SSL/TLS check out the opensource Forge project:
http://github.com/digitalbazaar/forge/blob/master/README
Related
I'm using an API from JIRA to get some information on bugs. Here's an example of the JQuery I'm using to get it:
var endpoint = 'https://jira.cyanogenmod.org/rest/api/latest/issue/CYAN-2631';
$.get(endpoint, function(data) {
do_stuff(data, data['fields']['project']['self']);
});
And, I'm getting the ever-terrible Access-Control-Allow-Origin error. It looks like this:
XMLHttpRequest cannot load
https://jira.cyanogenmod.org/rest/api/latest/issue/CYAN-2631.
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://127.0.0.1:8000' is therefore not allowed access.
I'd really like to use this API if possible. Following the directions on this question didn't help. I got another error,
GET https://jira.cyanogenmod.org/rest/api/latest/issue/CYAN-2631callback=jQuery172039181585889309645_1431307158851?_=1431307165515
Seems to be a Jquery error, so I don't think that's the right approach. Maybe the server doesn't allow for jsonp.
Anyway, does anyone have a way around this or can I just not use this particular API? Thanks
There is no way to enable cross origin requests entirely from the browser without external code. If there was, it would entirely defeat the purpose of the security protections in the first place.
When using a browser, it is the server that decides if it wants to support cross origin requests or not and what domains it wants to support requests from. You cannot bypass it in the client.
The choices are:
Server enables CORs access from your domain or all domains.
Server supports JSONP allowing you to use it to work-around the cross origin access.
You create your own server proxy where you make a request from the browser to your own server (which would either be same origin or have CORS enabled), then your own server gets the data from the other site and returns it back to the browser. Servers are not limited by the same origin limitations as this is a security feature built into browsers only.
You find some third party proxy service that you can use to serve the same purpose as option #3.
FYI, a Google search turned up this article about enabling CORS on the API: https://answers.atlassian.com/questions/69356/cross-origin-resource-sharing-with-jira-rest-api-and-javascript. I don't understand enough about the service to quite follow the article, but maybe it points you in a helpful direction.
H-i, short answer is "yes".
The medium answer is "enable CORS on your application SERVER"
The long answer is here: http://enable-cors.org/
At some point you'll encounter the concept of a "pre-flight request", and you'll probably get confused.
That's because it's confusing, stupid, and poorly engineered. Just keep on going.
The easiest way to enable CORS is at your webserver (nginx or apache), although, you can enable it in the application itself.
The http://enable-cors.org/ site lists configurations for a variety of web servers and application stacks.
Good luck!
I am a novice .net programmer made a webservice(JS calls the Webserice in my code) and was just trying to call it via my phones browser as am on the same network. With localhost it works perfect. But it fails to call the webservice method from other machine as well. What is the idea behind it and ddoes JSONP be of any help?
It would have helped a lot if you had described what type of webservice you are trying to call. I assume your webservice is RESTFUL. In that case if you'd try to call it from a different domain through XHR it will not succeed because of the browser's Same origin policy. And yes JSONP would be the most feasible alternative here.
You might also want to look at Cross origin resource sharing (CORS). It provides a way for web servers to support cross-site access controls.
Is there a way without using a server proxy to perform a cross domain GET or POST request?
If you are with only the current day browsers and have control over the external domain, you can use Cross-Origin Resource Sharing [CORS]
Most people do not have that luxury so you either have to use JSON with Padding [JSONP] or you need to use a serverside proxy.
As far as I know, there is no way to make a cross-domain request in JS, but you could just query your server and make the request from there.
Edit: as Russ Cam said above, look into JSONP.
Using YQL is an easy way of doing cross domain ajax. You can specify to have a JSON or XML object returned. IBM has a good tutorial: http://www.ibm.com/developerworks/web/library/wa-aj-jsonp2/index.html
Though just search for yql cross domain and it'll bring up numerous tutorials.
You could use Flash. Flash allows you to make a cross-domain request to another server provided that it serves a Flash cross-domain policy file (an XML file). So you will need administrative access to the other server in order to set that up.
If you think this option might be what you're looking for or you want to do SSL/TLS cross-domain, check out the opensource Forge project:
http://github.com/digitalbazaar/forge/blob/master/README
AJAX Cross Domain is a low-cost library that allows to perform cross-domain AJAX requests. http://www.ajax-cross-domain.com/
Is it possible to do a cross-site call, in Javascript, to a WCF service?
I don't mind if it's a POST or a GET.
But I've heard that these days, browsers don't allow cross-site calls with either POST or GET.
How can I circumvent this and still call a WCF Service?
There's not a whole lot you can do to circumvent the browser's cross-site scripting blockers. Those blockers stop XMLHTTPRequest's from happening to any domain but the one that loaded the containing script or page.
That said, there is one commonly used workaround: Use JavaScript to write a new entry into the DOM that references a src that is a cross-site URL. You'll pass all your RPC method arguments to this "script" which will return some JavaScript that will be executed, telling you success or failure.
There's no way to do a POST in this manner, the src URL must be a GET, so you can pass arguments that way. I'm not sure if WCF has a "GET only" method of access. And, since the browser will expect the result of the remote tag to be a valid JavaScript object, you'll have to make sure that your WCF service obeys that as well, otherwise you'll get JavaScript errors.
Another common method of circumventing cross-site scripting is to write a proxy for your requests. In other words, if you want to access domain test.com from scripts hosted on example.com, then make some URL on example.com that proxies the request over to test.com in the proper way.
For your example, the proxying is likely the right answer, assuming that WCF doesn't have it's own cross-site scripting restrictions.
Are you using jQuery by any chance? jQuery supports Cross-Domain JSON requests using "JSONP". You will be limited to GET requests, but I've tried it out and it works well! It's also very simple to get working.
See the "Cross-Domain getJSON (using JSONP) " section on this page for details:
http://docs.jquery.com/Release:jQuery_1.2/Ajax
And here's some background on JSONP:
http://bob.pythonmac.org/archives/2005/12/05/remote-json-jsonp/
Let me know how it goes!
New W3C recommendations are being standardised to allow cross-site requests between trusted parties via the Access Control for Cross-Site Requests specification.
This requires a server serving suitable Access Control HTTP headers and a browser capable of understanding and acting upon such headers.
In short, if a remote host says it likes your domain, and a browser understands what this means, you can perform xmlHttpRequests against that host regardless of the same origin policy.
Currently very few browsers support this functionality. IE8 apparently does (I haven't tested it) and Firefox 3.1 does (I have tested this extensively). I expect other browsers to follow suit quite quickly.
You shouldn't expect sufficient adoption of compatible browsers until 2012 at the earliest.
That's the ultimate solution to the problem. The downside is waiting a few years before it can be used in mainstream applications.
If this is for use within an environment you fully control, such as for an intranet where you can determine which browser is used and where you can configure multiple servers to issue the correct headers, it works perfectly.
To expand on Ben's answer... I extended our WCF service to support JSONP calls from jQuery using code similar to this example from Microsoft:
http://msdn.microsoft.com/en-us/library/cc716898.aspx
Is there a way to use XMLHttpRequest in combination with other domains?
I would like to parse some xml from Google without having to use a server so it is minimalistically complex to run.
var req = getXmlHttpRequestObject();
...
req.open('GET', 'http://www.google.de/ig/api?weather=Braunschweig', true);
req.setRequestHeader("Content-Type","text/xml");
req.onreadystatechange = setMessage;
req.send(null);
Doing it on the server side is no option at least then I wouldn't have to ask
Nope, not right now. I believe I read that plans/design's are in the works by standards groups for the future, so we can securely do this.
Cross site scripting vulnerabilities would be rampant other wise.
JSONP is a possible solution if the other sites API supports.
HTML5 now supports Cross Origin requests with XmlHttpRequest level 2 take a look at :
http://www.html5rocks.com/en/tutorials/cors/
It's a security issue, most (all?) browsers won't let you do that. You can use a hidden IFrame to do your fetching, but it's complex enough that i'd just use a server (or switch to a different language, if i don't have to run in a browser)
You cannot do cross domain request,e.g. from example1.com to example2.com through XMLHttpRequest or jQuery(which is a wrapper of XMLHttpRequest) due to security issue in client side(browser). This can be effectively implemented in modern browser supporting HTML5 through CORS(cross origin resource sharing, which cannot be available in every client browser. So, the solution is to insert script tag in example1.com of example2.com, and this solution is known as JSON-P(JSON with padding), the name could be misleading as the data can be in any format served by the server(example2.com). Its implementation code is given in this link http://newtechinfo.net/jsonp-for-cross-domain-ajax/
That's not possible due to the SOP (Same Origin Policy) that browser have these days to restrict XSS attacks.
You will have to use a server side script (PHP or something).
It is possible to make a XHR to another domain with HTML5.You can also make different protocol request with XHR when communicating with HTTP to another web site.
You can try to do something on the serverside. So on your application you make the request to the remote site getting the result and returning it to your client. The AJAX call is then only calling your own server and works.