What's the reason i have to use jsonp?
A few days ago i asked why i have no response from a rest server with jquery.
The reason was that i must use JSONP. I tested that with a own server and it worked.
Now i have to convince my college's who have control of the right server that the output have to be JSONP instead of json.
Only i don't now exactly why i must use JSONP? And is this only a jquery problem or is it not possible with javascript at all?
Can anyone help me with these questions? Thanks
JSONP is used to get data via AJAX cross-domain. Well, not exactly, JSONP is actually a bit of a "hack".
AJAX requests only work on the same domain, but <script> tags can be included from any domain. This is what JSONP is, it's actually a Javascript file, that gets added as a <script> tag.
That's why in JSONP, it's callback({data: value}), this is a script that gets executed.
If the AJAX request is being made to an URL that falls under the so called Same origin policy, it will normally fail in most browsers due to built-in browser restrictions.
But if you are on the same domain, protocol and port as your colleges server, you don’t need JSONP to make AJAX requests, you can just go ahead using the standard AJAX tools.
If you are not, JSONP is an industry-standard technique of working around the same origin policy, but it also requires that the server delivers data in a special way to make it available for the client.
Related
So a couple of days ago i was looking for something like this and had actually found it but never found a use for it. I know its listed somewhere on mozilla's site but i forget what the function is called.
In anycase i wish to request an external domain that doesn't have cors and does not requir external help from things like proxy's. its a rather recent function added to javascript as when i read about it (before i forgot the name) it was listed as expiremental technology. It's supposedly a safe alternative to CORS the only catch is unlike cors you are not allowed to view the response.
What i want to use it for is to basically see if the status code returned is 404 or 200 so i can tell users whether a specific site is having issues and since the ammount of sites that would be requested is huge if i do it server side id prefer to have it done in a clients browser only on specific pages.
I think you could get by with sending a HEAD HTTP request.
I'm a little confused here, maybe someone can help.
1) Javascript ajax request question: Can I use XMLHttpRequest to directly make a request to any other website - not the originating server?
2) JQuery ajax request question: Can I use $.ajax to directly make a request to any other website - not the originating server?
Browsing the web, I've found some stuff about how this might be forbidden due to XSS(cross-site-scripting), and that the work-around is to use a server scripting language and a webservice...but whatever that's not any concern to me.
If anyone can answer, please help!
I believe there is a confusion of terms here. This has nothing to do with XSS. The reason why you cannot get information with javascript across different domains (even http vs. https on the same domain) is due to the Same Origin Policy, which exists to prevent confusion of a session on a trusted site with an untrusted one without the user's direct intervention (e.g. by choosing to visit the different domain). XSS is a totally different concept that has to do with the infusion of scripts into a page to with malicious intent for the user.
As for accessing across domains all hope is not lost. XMLHttpRequest vs. .ajax() doesn't matter, but jsonp allows for an exchange of information across domains. Since HTML5, postMessage() has also been introduced which allows communication across domains as well (and to scripts no less!)
this question discusses the same problem. you have to fetch contents of other site on server side
You can not cross-site ajax requests. When you use jquery $.ajax to get data from a different domain, behind the scenes jquery takes the url and appends a include in the header of the document.
You're correct this is forbidden for security reasons.
jQuery's .ajax() is a simple way to use JavaScript's XMLHttpRequest in one function. In the end, it's just XMLHttpRequest.
Cross Site Scripting (XSS) prevents all cross-domain requests, but yes, you can use a serverside solution to overcome it.
But then there's JSONP, which does let JavaScript do cross-site requests, but only for a limited dataset.
Yes, it's possible with JSONP. Use it like this:
$.ajax({
url: 'remote_url',
type: 'post',
dataType: 'jsonp', //This does the trick
success: function(remoteData){
//Use remoteData here. Note it's already json parsed, so it's a javascript object
}
});
Hope this helps
Lastly you CAN make cross domain ajax if the server you are calling has implemented CORS and allows your domain to call it
1) Javascript ajax request question: Can I use XMLHttpRequest to directly make a request to any other website - not the originating server?
No, the server at the domain you're trying to connect to must accept cross-domain AJAX; otherwise, the only way to access this data is by using a page at your server that will proxy the requested data to your visitors.
2) JQuery ajax request question: Can I use $.ajax to directly make a request to any other website - not the originating server?
jQuery AJAX technology is actually a wrapper around the native XMLHttpRequest, so if the normal XMLHttpRequest works, the same should be true for jQuery.
Let's say I want to use AJAX to retrieve a json file from an untrusted different domain.
I then parse the response as a javascript object without any script evaluation.
(A cookie is not sent with my request.)
I don't understand why the browser prevents me from doing this.
I understand that if I were to evaluate the response as a script then that would be a security issue.
I understand that there are work-arounds to achieve the above.
Is there a reason that my specific scenario should be prevented, or has it just got accidentally caught up in the same-origin dragnet?
Thanks.
(assuming the server does not support CORS)
... you have no intention of evaluating the response as a script?
Firstly, browser security has no way of determining what you intend to do.
Second, the same source / origin restrictions are designed prevent other things as well: e.g. see
http://blogs.msdn.com/b/ieinternals/archive/2009/08/28/explaining-same-origin-policy-part-1-deny-read.aspx
Cross-domain AJAX is possible, but the remote server needs to support CORS and there may be certain header restrictions.
JSONP is not necessary for most applications. If the remote server does not support CORS, then you're stuck with the same-origin garbage and you'll have to use JSONP.
Note:
Older browsers don't support CORS. You may want to use jQuery or a similar framework (I've had trouble with Mootools and cross-domain AJAX because I couldn't figure out how to remove some of the default headers. jQuery worked out of the box for me on my set-up.
I have a piece of javascript executing on a jetty server which is sending a XMLHTTPRequest to a scoket on another server(wamp server).
The request gets sent to the socket, however the XHR response seems to be getting blocked.
My only thoughts on this is it may be an issue with XSS(cross site scripting).
Is there a way in which i could enable cross site scripting for this particular request or is there something else i should be doing?
Any help would be greatly appreciated!
That sounds about right. Browser cross-domain policy blocks XHR requests to other domains. Try using the JSONP technique in order to circumvent this.
It may seem odd that cross-domain policy can be so easily circumvented, but that's because when a server exposes a JSONP interface, it is clearly a mutual agreement.
Good luck!
Take a look here, this lets you expose an ajax endpoint across the domain boundary without the use of JSONP - its plain XHR with a little bit of cross domain messaging on top.
For the exact example of cross domain ajax, see this http://consumer.easyxdm.net/current/example/xhr.html
By the way, this is what the Russian version of Facebook (vkontakte, 75+mill users) uses for its API.
You cannot make xmlhttprequests to other servers. You have 2 options
proxy everthing through the server that servs the javascript.
use a <script> tag to pull data off the otherserver using dynamically generated js on that server.
Thanks guys for your response but I actually found that the issue was with same origin policy as I am running both servers from the same host but with different port numbers.
JSONP seems like it may solve the problem, but I am going to try just use the one server now for completeness.
The following article explains my problem under the background heading.
and in column four of the table.
http://taossa.com/index.php/2007/02/08/same-origin-policy/
I need to use AJAX to get the content of another page located on a different server from the one the AJAX is loaded from. The AJAX needs to send a POST request then return the result. how can i do this?
Set up proxy on your own server. Have your server call theirs and return the result.
if you control both servers, you can use one of the HTTP header fields for cross-origin resource sharing:
http://www.petefreitag.com/item/703.cfm
https://developer.mozilla.org/En/HTTP_access_control
There is no way to go around that policy. This policy is there for very good reasons.
That is also no problem as long as you're in control over the web application. You could simply redirect the call to the other server from your webserver and pass the result. This would work out like a proxy.
If you want to do that on the client and cross browser, you need some cooperation from the other server.
Either by:
1) using JSONP (inject a script tag with a callback function)
Only GET calls are possible though.
Security is an issue as the script has access to all resources in that page(data, cookies, ...).Here's a post that explain how to sandbox them and keep the data in your page safe.
2) POST looks possible using Kris Zip's window.name technique
If the cooperation from the other server is impossible, the server proxy as described in other answers is, to my knowledge, the only option left.