Is there a way to use XMLHttpRequest in combination with other domains?
I would like to parse some xml from Google without having to use a server so it is minimalistically complex to run.
var req = getXmlHttpRequestObject();
...
req.open('GET', 'http://www.google.de/ig/api?weather=Braunschweig', true);
req.setRequestHeader("Content-Type","text/xml");
req.onreadystatechange = setMessage;
req.send(null);
Doing it on the server side is no option at least then I wouldn't have to ask
Nope, not right now. I believe I read that plans/design's are in the works by standards groups for the future, so we can securely do this.
Cross site scripting vulnerabilities would be rampant other wise.
JSONP is a possible solution if the other sites API supports.
HTML5 now supports Cross Origin requests with XmlHttpRequest level 2 take a look at :
http://www.html5rocks.com/en/tutorials/cors/
It's a security issue, most (all?) browsers won't let you do that. You can use a hidden IFrame to do your fetching, but it's complex enough that i'd just use a server (or switch to a different language, if i don't have to run in a browser)
You cannot do cross domain request,e.g. from example1.com to example2.com through XMLHttpRequest or jQuery(which is a wrapper of XMLHttpRequest) due to security issue in client side(browser). This can be effectively implemented in modern browser supporting HTML5 through CORS(cross origin resource sharing, which cannot be available in every client browser. So, the solution is to insert script tag in example1.com of example2.com, and this solution is known as JSON-P(JSON with padding), the name could be misleading as the data can be in any format served by the server(example2.com). Its implementation code is given in this link http://newtechinfo.net/jsonp-for-cross-domain-ajax/
That's not possible due to the SOP (Same Origin Policy) that browser have these days to restrict XSS attacks.
You will have to use a server side script (PHP or something).
It is possible to make a XHR to another domain with HTML5.You can also make different protocol request with XHR when communicating with HTTP to another web site.
You can try to do something on the serverside. So on your application you make the request to the remote site getting the result and returning it to your client. The AJAX call is then only calling your own server and works.
Related
I am a novice .net programmer made a webservice(JS calls the Webserice in my code) and was just trying to call it via my phones browser as am on the same network. With localhost it works perfect. But it fails to call the webservice method from other machine as well. What is the idea behind it and ddoes JSONP be of any help?
It would have helped a lot if you had described what type of webservice you are trying to call. I assume your webservice is RESTFUL. In that case if you'd try to call it from a different domain through XHR it will not succeed because of the browser's Same origin policy. And yes JSONP would be the most feasible alternative here.
You might also want to look at Cross origin resource sharing (CORS). It provides a way for web servers to support cross-site access controls.
I'm trying to launch a request for some data from an external website w/ an API.
If I copy paste the request into my web-browser it works fine.
Example such as (http://example.com/json/user/search/all)
I can see the results in the browser window.
However, I'm trying to launch this query from a website and I'm running into an issue:
Using some javascript like this:
var req = new XMLHttpRequest();
req.open('GET', abovementionedurl, true)
req.send()
I get an error that reads: Origin (MyDOMAIN) is not allowed by Access Control Allow Origin.
Again, I'm fairly new to XMLHttpRequests and I think this is fairly simple to solve.
Anyone know? (I tried searching google but couldn't find a good answer)
Thanks in advance.
You are not allowed to do Cross-Site XMLHttpRequests and need to use a proxy to accomplish it.
This article from Yahoo explains it in detail and gives more ideas of how to solve it. But basically it should not be done because this restriction exists for security purposes.
It would be better if you used PHP and fopen() for instance and simply called that page using your XMLHttpRequest object.
The problem is the same-origin policy. This is a rule that XMLHTTPRequests may not be used except on the same domain as the original page. This is for security reasons.
The easiest way around it is to write a server-side script that proxies the request for you.
This is your browser's protection against cross side scripting. You are not allowed to access other pages that come from a different domain.
EDIT: Also check this: Cross-site XMLHttpRequest
I need to make a cross domain request from a script that runs in firefox (it's just for development purposes).
Can this be achieved? maybe modifying the about:config keys?
Thanks!
There is a great post by James Padolsey on how to to cross domain requests using jQuery, But the post also has very good resources. There need to be some tweaking to be done on the other server to allow cross domain calls using crossdomain.xml
Opera 10.5 allows for "Allow Cross Domain Access".
A little late, but thought I'd post the info here anyway;
I didn't fully read the links in everyone's answers, but I had a quick look and I didn't see that anyone mentioned using the PrivilegeManager - Bypassing Security Restrictions and Signing Code. Using this you can have your FireFox JavaScript app invoke a request for extended security privileges in the browser, including cross domain XHR.
The Same Origin Policy applies to all browsers. Using javascript you can send GET and POST requests, but you will not be able to read the response like you can with XHR. XHR's can only be done against the domain the script is executing from. This is an important rule as it prevents wide spread Cross Site Request Forgery(CSRF) vulnerabilities.
You can use flash with a crossdomain.xml file and I think this is the most robust solution because it will do exactly what you need and have the best browser compatibility.
EDIT: If you want specifically JavaScript running on Firefox to bypass the Same Origin Policy then you can build a custom add-on. Or perhaps the Cross Domain add-on will do what you need.
cross-site xmlhttprequest with CORS
As mentioned by 'The Rook', you can use Flash to do cross-domain requests provided that the server you're talking to serves an XML policy file granting your server access. If you control both servers that should be easy enough to accomplish.
If you don't want to write any Flash code yourself or if you want to be able to do cross-domain over SSL/TLS check out the opensource Forge project:
http://github.com/digitalbazaar/forge/blob/master/README
When using an XMLHTTPRequest in javascript, I want to send it to an external website, rather than the one where the .js file is hosted. To send it to test.php on the current server, I would use
request.open("POST", "test.php", true);
but for the second arguemnt, how do I send it to another website. "example.com/test.php" looks for a file on the current server, and "http://example.com/test.php" justseems to outright fail.
You can't for security reasons. See the same origin policy for JavaScript.
There are some workarounds that exploit browser bugs or corner cases, but using them is not recommended.
The best approach is having a server-side proxy that receives Ajax requests, and in turn, sends HTTP requests to other servers. This should be carefully implemented by sanitizing input and whitelisting the types of requests that are sent, and the servers that are contacted.
This sounds like a bad case of Same Origin Policy, my friend :)
You can't (for the most part) use XmlHttpRequest to get data from an external website. What you can do, however, is dynamically create a SCRIPT tag and reference an external address. jQuery wraps this functionally as part of its ajax handling.
Indeed you can. Not in any browser although.
In Internet Explorer 8.0 there is XDomainRequest, an object enabling cross-domain requests. You would need to properly handle request made with this object on server by sending Access-Control-Allow-Origin header first with "*" or requester domain name.
Since you are doing some hacky things anyway, why not trying to use it on IE8 first?
If you have control over the server, you can use this header in the HTTP reply, although it may not work with all browsers.
Access-Control-Allow-Origin: *
Is it possible to do a cross-site call, in Javascript, to a WCF service?
I don't mind if it's a POST or a GET.
But I've heard that these days, browsers don't allow cross-site calls with either POST or GET.
How can I circumvent this and still call a WCF Service?
There's not a whole lot you can do to circumvent the browser's cross-site scripting blockers. Those blockers stop XMLHTTPRequest's from happening to any domain but the one that loaded the containing script or page.
That said, there is one commonly used workaround: Use JavaScript to write a new entry into the DOM that references a src that is a cross-site URL. You'll pass all your RPC method arguments to this "script" which will return some JavaScript that will be executed, telling you success or failure.
There's no way to do a POST in this manner, the src URL must be a GET, so you can pass arguments that way. I'm not sure if WCF has a "GET only" method of access. And, since the browser will expect the result of the remote tag to be a valid JavaScript object, you'll have to make sure that your WCF service obeys that as well, otherwise you'll get JavaScript errors.
Another common method of circumventing cross-site scripting is to write a proxy for your requests. In other words, if you want to access domain test.com from scripts hosted on example.com, then make some URL on example.com that proxies the request over to test.com in the proper way.
For your example, the proxying is likely the right answer, assuming that WCF doesn't have it's own cross-site scripting restrictions.
Are you using jQuery by any chance? jQuery supports Cross-Domain JSON requests using "JSONP". You will be limited to GET requests, but I've tried it out and it works well! It's also very simple to get working.
See the "Cross-Domain getJSON (using JSONP) " section on this page for details:
http://docs.jquery.com/Release:jQuery_1.2/Ajax
And here's some background on JSONP:
http://bob.pythonmac.org/archives/2005/12/05/remote-json-jsonp/
Let me know how it goes!
New W3C recommendations are being standardised to allow cross-site requests between trusted parties via the Access Control for Cross-Site Requests specification.
This requires a server serving suitable Access Control HTTP headers and a browser capable of understanding and acting upon such headers.
In short, if a remote host says it likes your domain, and a browser understands what this means, you can perform xmlHttpRequests against that host regardless of the same origin policy.
Currently very few browsers support this functionality. IE8 apparently does (I haven't tested it) and Firefox 3.1 does (I have tested this extensively). I expect other browsers to follow suit quite quickly.
You shouldn't expect sufficient adoption of compatible browsers until 2012 at the earliest.
That's the ultimate solution to the problem. The downside is waiting a few years before it can be used in mainstream applications.
If this is for use within an environment you fully control, such as for an intranet where you can determine which browser is used and where you can configure multiple servers to issue the correct headers, it works perfectly.
To expand on Ben's answer... I extended our WCF service to support JSONP calls from jQuery using code similar to this example from Microsoft:
http://msdn.microsoft.com/en-us/library/cc716898.aspx