When using an XMLHTTPRequest in javascript, I want to send it to an external website, rather than the one where the .js file is hosted. To send it to test.php on the current server, I would use
request.open("POST", "test.php", true);
but for the second arguemnt, how do I send it to another website. "example.com/test.php" looks for a file on the current server, and "http://example.com/test.php" justseems to outright fail.
You can't for security reasons. See the same origin policy for JavaScript.
There are some workarounds that exploit browser bugs or corner cases, but using them is not recommended.
The best approach is having a server-side proxy that receives Ajax requests, and in turn, sends HTTP requests to other servers. This should be carefully implemented by sanitizing input and whitelisting the types of requests that are sent, and the servers that are contacted.
This sounds like a bad case of Same Origin Policy, my friend :)
You can't (for the most part) use XmlHttpRequest to get data from an external website. What you can do, however, is dynamically create a SCRIPT tag and reference an external address. jQuery wraps this functionally as part of its ajax handling.
Indeed you can. Not in any browser although.
In Internet Explorer 8.0 there is XDomainRequest, an object enabling cross-domain requests. You would need to properly handle request made with this object on server by sending Access-Control-Allow-Origin header first with "*" or requester domain name.
Since you are doing some hacky things anyway, why not trying to use it on IE8 first?
If you have control over the server, you can use this header in the HTTP reply, although it may not work with all browsers.
Access-Control-Allow-Origin: *
Related
Is it possible (and if so, what's the most secure way) to read a JSON file from a subdomain such as somesubomain.maindomain.com in a JS script residing in maindomain.com, another.maindomain.com etc?
Thanks!
Have a look at how document.domain works: https://developer.mozilla.org/en/DOM/document.domain
Another solution would be make your json file a JavaScript file (jsonp-style) which calls a function so it can be embedded using a script tag which does not have same-origin restrictions.
Your not supposed to due to the same origin policy enforced on all browsers, but you can... Check out this explanation of cross domain ajax requests.
http://alexsexton.com/?p=154
JSONP is what I found to be the easiest to work with for this type of stuff.
I do this two ways:
Have your server make the call on behalf of your client. What I mean by that, is take the call you were going to make from the browser, and make it a web service on the server. Then have your client call your webservice, which will then make the call and return the response. This allows you to inspect what's being sent back and forth.
Use JSONP. Their server must be configured for this, and I'm not sure there is any added security..
Is there a way without using a server proxy to perform a cross domain GET or POST request?
If you are with only the current day browsers and have control over the external domain, you can use Cross-Origin Resource Sharing [CORS]
Most people do not have that luxury so you either have to use JSON with Padding [JSONP] or you need to use a serverside proxy.
As far as I know, there is no way to make a cross-domain request in JS, but you could just query your server and make the request from there.
Edit: as Russ Cam said above, look into JSONP.
Using YQL is an easy way of doing cross domain ajax. You can specify to have a JSON or XML object returned. IBM has a good tutorial: http://www.ibm.com/developerworks/web/library/wa-aj-jsonp2/index.html
Though just search for yql cross domain and it'll bring up numerous tutorials.
You could use Flash. Flash allows you to make a cross-domain request to another server provided that it serves a Flash cross-domain policy file (an XML file). So you will need administrative access to the other server in order to set that up.
If you think this option might be what you're looking for or you want to do SSL/TLS cross-domain, check out the opensource Forge project:
http://github.com/digitalbazaar/forge/blob/master/README
AJAX Cross Domain is a low-cost library that allows to perform cross-domain AJAX requests. http://www.ajax-cross-domain.com/
my js file calls uses an xmlHttpRequest to display an rss feed. when i reference the java script within my html page, my browser renders an error: Permission denied. and therefore, my script is being blocked. i am not allowed to change the security settings and would i'd appreciate any work around tips. thanks!
It's called the same origin policy. There's no easy workaround.
Simply put, XmlHttpRequest doesn't allow you to perform ajax calls across domains. Meaning, if you're website is mydomain.com, you can't use XHR to call out to pages (xml or otherwise) on someonelsesdomain.com.
There are work-arounds, typically using flash (less elegant) or webservice proxies (more elegant). Google "cross domain ajax calls" for more help.
Cross-origins call? You can't do that ( at least not directly e.g. need an extension/plugin etc.).
You need a proxy server... a utility that will allow access to foreign (in this case, on another server) material on your own server. Since (as the others mentioned) Browsers have security features enabled to prevent you from accessing content via AJAX on these foreign servers, a proxy will enable you access to this content locally.
this .net method was perfect and easy to implement: http://www.asp101.com/articles/john/megatokyo/dotnet.asp
Is it possible to do a cross-site call, in Javascript, to a WCF service?
I don't mind if it's a POST or a GET.
But I've heard that these days, browsers don't allow cross-site calls with either POST or GET.
How can I circumvent this and still call a WCF Service?
There's not a whole lot you can do to circumvent the browser's cross-site scripting blockers. Those blockers stop XMLHTTPRequest's from happening to any domain but the one that loaded the containing script or page.
That said, there is one commonly used workaround: Use JavaScript to write a new entry into the DOM that references a src that is a cross-site URL. You'll pass all your RPC method arguments to this "script" which will return some JavaScript that will be executed, telling you success or failure.
There's no way to do a POST in this manner, the src URL must be a GET, so you can pass arguments that way. I'm not sure if WCF has a "GET only" method of access. And, since the browser will expect the result of the remote tag to be a valid JavaScript object, you'll have to make sure that your WCF service obeys that as well, otherwise you'll get JavaScript errors.
Another common method of circumventing cross-site scripting is to write a proxy for your requests. In other words, if you want to access domain test.com from scripts hosted on example.com, then make some URL on example.com that proxies the request over to test.com in the proper way.
For your example, the proxying is likely the right answer, assuming that WCF doesn't have it's own cross-site scripting restrictions.
Are you using jQuery by any chance? jQuery supports Cross-Domain JSON requests using "JSONP". You will be limited to GET requests, but I've tried it out and it works well! It's also very simple to get working.
See the "Cross-Domain getJSON (using JSONP) " section on this page for details:
http://docs.jquery.com/Release:jQuery_1.2/Ajax
And here's some background on JSONP:
http://bob.pythonmac.org/archives/2005/12/05/remote-json-jsonp/
Let me know how it goes!
New W3C recommendations are being standardised to allow cross-site requests between trusted parties via the Access Control for Cross-Site Requests specification.
This requires a server serving suitable Access Control HTTP headers and a browser capable of understanding and acting upon such headers.
In short, if a remote host says it likes your domain, and a browser understands what this means, you can perform xmlHttpRequests against that host regardless of the same origin policy.
Currently very few browsers support this functionality. IE8 apparently does (I haven't tested it) and Firefox 3.1 does (I have tested this extensively). I expect other browsers to follow suit quite quickly.
You shouldn't expect sufficient adoption of compatible browsers until 2012 at the earliest.
That's the ultimate solution to the problem. The downside is waiting a few years before it can be used in mainstream applications.
If this is for use within an environment you fully control, such as for an intranet where you can determine which browser is used and where you can configure multiple servers to issue the correct headers, it works perfectly.
To expand on Ben's answer... I extended our WCF service to support JSONP calls from jQuery using code similar to this example from Microsoft:
http://msdn.microsoft.com/en-us/library/cc716898.aspx
Is there a way to use XMLHttpRequest in combination with other domains?
I would like to parse some xml from Google without having to use a server so it is minimalistically complex to run.
var req = getXmlHttpRequestObject();
...
req.open('GET', 'http://www.google.de/ig/api?weather=Braunschweig', true);
req.setRequestHeader("Content-Type","text/xml");
req.onreadystatechange = setMessage;
req.send(null);
Doing it on the server side is no option at least then I wouldn't have to ask
Nope, not right now. I believe I read that plans/design's are in the works by standards groups for the future, so we can securely do this.
Cross site scripting vulnerabilities would be rampant other wise.
JSONP is a possible solution if the other sites API supports.
HTML5 now supports Cross Origin requests with XmlHttpRequest level 2 take a look at :
http://www.html5rocks.com/en/tutorials/cors/
It's a security issue, most (all?) browsers won't let you do that. You can use a hidden IFrame to do your fetching, but it's complex enough that i'd just use a server (or switch to a different language, if i don't have to run in a browser)
You cannot do cross domain request,e.g. from example1.com to example2.com through XMLHttpRequest or jQuery(which is a wrapper of XMLHttpRequest) due to security issue in client side(browser). This can be effectively implemented in modern browser supporting HTML5 through CORS(cross origin resource sharing, which cannot be available in every client browser. So, the solution is to insert script tag in example1.com of example2.com, and this solution is known as JSON-P(JSON with padding), the name could be misleading as the data can be in any format served by the server(example2.com). Its implementation code is given in this link http://newtechinfo.net/jsonp-for-cross-domain-ajax/
That's not possible due to the SOP (Same Origin Policy) that browser have these days to restrict XSS attacks.
You will have to use a server side script (PHP or something).
It is possible to make a XHR to another domain with HTML5.You can also make different protocol request with XHR when communicating with HTTP to another web site.
You can try to do something on the serverside. So on your application you make the request to the remote site getting the result and returning it to your client. The AJAX call is then only calling your own server and works.