I tried to call JavaScript function exist on some server(server1) from another server(server2) and I got this error:
Unsafe JavaScript attempt to access frame with URL https://server1/ from frame with URL https://server2/ . Domains, protocols and ports must match.
I used JSP, Java, JavaScript and tomcat7, is there any way to solve this problem? any help will be appreciated.
Yes, must add a cross-origin rule to the header of your javascript file, which allows access from your other server.
Otherwise, your Browser doesn´t let you do that.
You can look at the answer of this Question: XmlHttpRequest error: Origin null is not allowed by Access-Control-Allow-Origin
It should tell you how to do it.
Take a look at easyXDM - it provides an RPC feature allowing you to call methods across the Same Origin Policy.
Take a look at one of the demo's here
As described you are subject to the Same Origin Policy, this is designed to protect users.
Google have a good write-up: http://code.google.com/p/browsersec/wiki/Part2.
There are several typical approaches to working around this:
jquery has a getJson or jsonp type of function. most other js libs have something similar. They use a dynamic Script tag, suitable for GET requests from other domains.
Create a servlet on domain1 that proxies to domain2 - allows unrestricted HTTP methods and use of XmlHTTPRequest.
I've not tried http://easyxdm.net/wp/
There are improvements coming, like cross document messaging in HTML5
Related
I need to provide a functionality similar to "Share with Facebook" for my social networking site. Facebook uses nested iframes and also xd_receiver concepts. I want to write a JavaScript API(JS file hosted on my domain), which can be used by different sites to call my web server APIs in order to share, post or recommend on my social networking site. I have a few questions -
Even though I provide the JS API, and diff sites load the JS file using the source, if any API call is made, it will again be a cross domain call(If I am comprehending correctly) and will be rejected on the server?
How to overcome such situation?
Is there any other better mechanism to implement this functionality?
Please suggest so that I can proceed with the implementation.
I think the default way is to use jsonp to get around cross domain limitation. http://en.wikipedia.org/wiki/JSONP. It might require a change in your api though. A user requests your api through the src of a script tag passing in a function callback. Your api would return pass your json response to the function specified.
Do you know why they use iframes and not simple get requests with JSONP/Images/scripts?
The answer is security. I cannot write a script that clicks their button which will automatically "like" the page.
Using plain old JavaScript with a JSONP will allow the developer to automatically click the button. Do you want that to happen?
The requests are made by the browser and not from the JS file, so, your requests will be cross-domain every time they did from another domain site.
Your server will only reject cross-domain requests if you implement a referrer validation.
And you can use JSONP if your API needs custom contents from your site...
To allow cross domain requests, you need to set the following Header in your HTTP Response:
Access-Control-Allow-Origin: *
The implementation will vary depending on the back-end you are using.
If the host in the Origin header of the request is anything but the host of the request, the response must include the listed Origin in the Access-Control-Allow-Origin header. Setting this header to * will allow all origins.
For very specific information on cross origin resource sharing see http://www.w3.org/TR/cors/. If you're not big on reading w3c documents, check out MDN's primer.
Note: Internet Explorer does its own thing with regards to cross domain requests. This answer is a good start if you have issues with IE.
I'm trying to use XHR to access the GitHub HTTP API, and I'm being rather badly defeated by the Same Origin Policy. I'm quite sure that easyXDM is overkill for this, but I don't know what else (if there is anything else) that I can use. Is there some easier way than easyXDM to get from my website to the GitHub API?
Turns out GitHub API supports JSON-P. from http://developer.github.com/v3/#json-p-callbacks:
You can send a callback parameter to any GET call to have the
results wrapped in a JSON function. This is typically used when
browsers want to embed GitHub content in web pages by getting around
cross domain issues.
(emphasis mine)
This is your friend:
http://developer.github.com/v3/#cross-origin-resource-sharing
I have two domain names that point to my website, nathannifong.com, and uncc.ath.cx.
Javascript on the site occasionally needs to pull down resources with XMLHttpRequest. All URLs of resources in client scripts refer to nathannifong.com, and when a user comes to the site by uncc.ath.cx, the scripts fail because of cross domain secuity policy in JavaScript.
What should I change so that users can come to the site by any domain name, but the XMLHttpRequests still work?
If you are using the Domain Name in the URL's to make a ajax request, remove it hence the domain is automatically mapped to the one the user is using and you will not have the cross domain issues.
xhr is contrained by the same origin policy and will not work cross domain - for that use jsonp as already mentioned.
According to The CodeProject, JSONP would be a way of accomplishing this. I've not used it myself, however, but it might be worth taking a look there.
You could look at window.location to determine the page's domain, and then use that to load the request? That way you'd be sure that the request was going to the right domain. You could also look into JSONP, but only for GET requests.
I have a piece of javascript executing on a jetty server which is sending a XMLHTTPRequest to a scoket on another server(wamp server).
The request gets sent to the socket, however the XHR response seems to be getting blocked.
My only thoughts on this is it may be an issue with XSS(cross site scripting).
Is there a way in which i could enable cross site scripting for this particular request or is there something else i should be doing?
Any help would be greatly appreciated!
That sounds about right. Browser cross-domain policy blocks XHR requests to other domains. Try using the JSONP technique in order to circumvent this.
It may seem odd that cross-domain policy can be so easily circumvented, but that's because when a server exposes a JSONP interface, it is clearly a mutual agreement.
Good luck!
Take a look here, this lets you expose an ajax endpoint across the domain boundary without the use of JSONP - its plain XHR with a little bit of cross domain messaging on top.
For the exact example of cross domain ajax, see this http://consumer.easyxdm.net/current/example/xhr.html
By the way, this is what the Russian version of Facebook (vkontakte, 75+mill users) uses for its API.
You cannot make xmlhttprequests to other servers. You have 2 options
proxy everthing through the server that servs the javascript.
use a <script> tag to pull data off the otherserver using dynamically generated js on that server.
Thanks guys for your response but I actually found that the issue was with same origin policy as I am running both servers from the same host but with different port numbers.
JSONP seems like it may solve the problem, but I am going to try just use the one server now for completeness.
The following article explains my problem under the background heading.
and in column four of the table.
http://taossa.com/index.php/2007/02/08/same-origin-policy/
I need to use AJAX to get the content of another page located on a different server from the one the AJAX is loaded from. The AJAX needs to send a POST request then return the result. how can i do this?
Set up proxy on your own server. Have your server call theirs and return the result.
if you control both servers, you can use one of the HTTP header fields for cross-origin resource sharing:
http://www.petefreitag.com/item/703.cfm
https://developer.mozilla.org/En/HTTP_access_control
There is no way to go around that policy. This policy is there for very good reasons.
That is also no problem as long as you're in control over the web application. You could simply redirect the call to the other server from your webserver and pass the result. This would work out like a proxy.
If you want to do that on the client and cross browser, you need some cooperation from the other server.
Either by:
1) using JSONP (inject a script tag with a callback function)
Only GET calls are possible though.
Security is an issue as the script has access to all resources in that page(data, cookies, ...).Here's a post that explain how to sandbox them and keep the data in your page safe.
2) POST looks possible using Kris Zip's window.name technique
If the cooperation from the other server is impossible, the server proxy as described in other answers is, to my knowledge, the only option left.