Avoiding AJAX cross domain limitations - javascript

Is it possible to avoid AJAX cross domain request limitation if JS file with $.getJSON is loaded from the same server (domain) as URL in AJAX request?
Let's say I have a webservice on serverA.com which needs to be called from pages on few other domains e.g. subdomain.serverA.com, serverB.com etc.
JS is placed on serverA.com and included on multiple pages on different domains with absolute URL:
<script src="http://serverA.com/ajax.js" />
while page URL is e.g. http://serverB.com/page.html
In such case, $.getJSON('http://serverA.com/service/',... will avoid cross domain limitations or not?
In other words, browsers are looking at page URL or JS source URL when evaluating same-origin policy for AJAX requests?

It sounds like you're asking "Can I get round the cross domain limitations of javascript?"
The answer is "yes", by using JSONP
There's a lot of good information here:
Basic example of using .ajax() with JSONP?
Ways to circumvent the same-origin policy
jQuery - How to remove cross domain limitation
If that's not the question you're asking then you may need to clarify it a little.

In other words, browsers are looking at page URL or JS source URL when evaluating same-origin policy for AJAX requests?
The same origin policy is based on the URL of the HTML document the script is running on, not the URL of the script itself.
Is it possible to avoid AJAX cross domain request limitation if JS file with $.getJSON is loaded from the same server (domain) as URL in AJAX request?
Yes, but not because the JS file is loaded from there. The URL of the script is irrelevant.

Instead of JSONP, I would recommend Cross Origin Resource Sharing.
The owner of the service, just need to add a header that gives the (static, dynamic or open) list of authorized origins.

Related

Javascript API hindered by Cross Domain API calls

I need to provide a functionality similar to "Share with Facebook" for my social networking site. Facebook uses nested iframes and also xd_receiver concepts. I want to write a JavaScript API(JS file hosted on my domain), which can be used by different sites to call my web server APIs in order to share, post or recommend on my social networking site. I have a few questions -
Even though I provide the JS API, and diff sites load the JS file using the source, if any API call is made, it will again be a cross domain call(If I am comprehending correctly) and will be rejected on the server?
How to overcome such situation?
Is there any other better mechanism to implement this functionality?
Please suggest so that I can proceed with the implementation.
I think the default way is to use jsonp to get around cross domain limitation. http://en.wikipedia.org/wiki/JSONP. It might require a change in your api though. A user requests your api through the src of a script tag passing in a function callback. Your api would return pass your json response to the function specified.
Do you know why they use iframes and not simple get requests with JSONP/Images/scripts?
The answer is security. I cannot write a script that clicks their button which will automatically "like" the page.
Using plain old JavaScript with a JSONP will allow the developer to automatically click the button. Do you want that to happen?
The requests are made by the browser and not from the JS file, so, your requests will be cross-domain every time they did from another domain site.
Your server will only reject cross-domain requests if you implement a referrer validation.
And you can use JSONP if your API needs custom contents from your site...
To allow cross domain requests, you need to set the following Header in your HTTP Response:
Access-Control-Allow-Origin: *
The implementation will vary depending on the back-end you are using.
If the host in the Origin header of the request is anything but the host of the request, the response must include the listed Origin in the Access-Control-Allow-Origin header. Setting this header to * will allow all origins.
For very specific information on cross origin resource sharing see http://www.w3.org/TR/cors/. If you're not big on reading w3c documents, check out MDN's primer.
Note: Internet Explorer does its own thing with regards to cross domain requests. This answer is a good start if you have issues with IE.

How to make cross domain request using ajax or javascript?

I have some Pre built script that makes some ajax request to one website. And it's working fine. But I am not able to make request to there some domains.
My working Process:-
1) I have pre built script on http://www.Test.com/a.js now i am calling this js in this domain http://www.test1.com by pasting the code to URL and it's working fine.
2) Now When I want to call one page from This http://hello.test1.com/as.php but it's showing some errors. How could i make request to subdomain page from main domain page.
Please let me know how can i do this.
Thanks in advance.
Your various options for cross-domain requests are:
The new Cross-Origin Resource Sharing (CORS) standard, if the browsers your users use support it and the server has support for it. Note that a lot of general web users still have browsers that don't support it.
JSON-P ("JSON with padding"), which is basically a dynamically-added script element
Using YQL (Yahoo Query Language) as a cross-domain proxy
There are several work arounds for cross domain scripting restrictions. easyXDM seems to do what you want.
You can use php curl to do the cross domain request using ajax. An ajax request will call php curl page which in turn will call cross domain with url specified in php curl page and return back the response .
I have implemented same and it works fine. Hope this helps Thanks.

Javascript/JQuery ajax help needed

I'm a little confused here, maybe someone can help.
1) Javascript ajax request question: Can I use XMLHttpRequest to directly make a request to any other website - not the originating server?
2) JQuery ajax request question: Can I use $.ajax to directly make a request to any other website - not the originating server?
Browsing the web, I've found some stuff about how this might be forbidden due to XSS(cross-site-scripting), and that the work-around is to use a server scripting language and a webservice...but whatever that's not any concern to me.
If anyone can answer, please help!
I believe there is a confusion of terms here. This has nothing to do with XSS. The reason why you cannot get information with javascript across different domains (even http vs. https on the same domain) is due to the Same Origin Policy, which exists to prevent confusion of a session on a trusted site with an untrusted one without the user's direct intervention (e.g. by choosing to visit the different domain). XSS is a totally different concept that has to do with the infusion of scripts into a page to with malicious intent for the user.
As for accessing across domains all hope is not lost. XMLHttpRequest vs. .ajax() doesn't matter, but jsonp allows for an exchange of information across domains. Since HTML5, postMessage() has also been introduced which allows communication across domains as well (and to scripts no less!)
this question discusses the same problem. you have to fetch contents of other site on server side
You can not cross-site ajax requests. When you use jquery $.ajax to get data from a different domain, behind the scenes jquery takes the url and appends a include in the header of the document.
You're correct this is forbidden for security reasons.
jQuery's .ajax() is a simple way to use JavaScript's XMLHttpRequest in one function. In the end, it's just XMLHttpRequest.
Cross Site Scripting (XSS) prevents all cross-domain requests, but yes, you can use a serverside solution to overcome it.
But then there's JSONP, which does let JavaScript do cross-site requests, but only for a limited dataset.
Yes, it's possible with JSONP. Use it like this:
$.ajax({
url: 'remote_url',
type: 'post',
dataType: 'jsonp', //This does the trick
success: function(remoteData){
//Use remoteData here. Note it's already json parsed, so it's a javascript object
}
});
Hope this helps
Lastly you CAN make cross domain ajax if the server you are calling has implemented CORS and allows your domain to call it
1) Javascript ajax request question: Can I use XMLHttpRequest to directly make a request to any other website - not the originating server?
No, the server at the domain you're trying to connect to must accept cross-domain AJAX; otherwise, the only way to access this data is by using a page at your server that will proxy the requested data to your visitors.
2) JQuery ajax request question: Can I use $.ajax to directly make a request to any other website - not the originating server?
jQuery AJAX technology is actually a wrapper around the native XMLHttpRequest, so if the normal XMLHttpRequest works, the same should be true for jQuery.

JavaScript XMLHttpRequest breaks when accessed from alternate domain name

I have two domain names that point to my website, nathannifong.com, and uncc.ath.cx.
Javascript on the site occasionally needs to pull down resources with XMLHttpRequest. All URLs of resources in client scripts refer to nathannifong.com, and when a user comes to the site by uncc.ath.cx, the scripts fail because of cross domain secuity policy in JavaScript.
What should I change so that users can come to the site by any domain name, but the XMLHttpRequests still work?
If you are using the Domain Name in the URL's to make a ajax request, remove it hence the domain is automatically mapped to the one the user is using and you will not have the cross domain issues.
xhr is contrained by the same origin policy and will not work cross domain - for that use jsonp as already mentioned.
According to The CodeProject, JSONP would be a way of accomplishing this. I've not used it myself, however, but it might be worth taking a look there.
You could look at window.location to determine the page's domain, and then use that to load the request? That way you'd be sure that the request was going to the right domain. You could also look into JSONP, but only for GET requests.

javascript / ajax question

I'm wondering if anyone knows a javascript library where I could remotely login to a site, then browse pages upon logging in.
This is very easy with php's curl but I'm wondering if there is a javascript equivalent where I can execute multiple remote url's under a single http session.
Basically what I'm looking to do is post a username/password to one of my sites and then immediately post some other commands to a different url (same remote domain) using the authenticated session.
I haven't come across anything like this yet so I'm wondering if anyone can point me in the direction (if it's even possible). Can definitely be HTML5.
Due to same origin policy restrictions in browsers this is not possible using javascript. You need a server side script that will act as a bridge between your site and the remote sites. Then talk to this local script using AJAX.
There are some techniques available to bypass the same origin policy:
If you don't need to read the response of your POST calls, you can create a FORM by javascript with an action to any url (not limited to the same origin policy) like in this question: How do I send a cross-domain POST request via JavaScript?
But this means you rely only on session cookies for the security, this is open for XSS attacks.
As you own the other domain site, you could develop a small service that returns a JSON with the data you need, and use the JSONP technique, eg:
<script src="http://otherdomain/curl?url=page.html&callback=cb">
</script>
May be you could signin before using the POST technique above and sending a secret token that you reuse in the url to improve the security.
And finally there is a way to act/read on other pages using a bookmarklet.The idea is to inject in the other domain's page a script that can run with all the privileges, and send back information to your domain.
But this requires a manual action (click a link or a browser bookmark)

Categories