Solved

cross domain scripting, is there a way around it?

Posted on 2014-11-23
14
159 Views
Last Modified: 2014-11-25
I have a webpage that uses an api webservice to get info.  The calls are to a different domain than my page so I get errors like below.  I have no control over the webservice so I can't alter it at all.  I found some links that mention using jsonp, which I tried but the webservice does not respond to.  I know I can do things to the browser, but I want it to work for anyone.  Is there a creative way around this like by doing it on another page and lazy loading it?  I am really not sure, but there must be a way.   I can see in fiddler that the call returns the xml correctly, but the js still errors.

Error:
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.


			return $.ajax({
                url: loginUrl,
                contentType: "application/x-www-form-urlencoded",
                //dataType: "xml",  //IT WILL WORK WITH OMMITTED BUT WORKS WITH TOO
				//dataType:       'jsonp',  //IT WON'T WORK WITH JSONP
                data: postData,
                async: true,
                type: "POST",  //NEED POST FOR THE WEBSERVICE TO RETURN A VALID RESPONSE IN FIDDLER
				//contentType:    'application/json', //DOES NOT WORK WITH
    });

Open in new window

0
Comment
Question by:jackjohnson44
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40460699
You need to add headers allowing the cross domain request in your page.
How you do this depends on your server.

Or you can use a proxy - you call a page on your server that makes the crosss domain call and passes the response back to your page.
0
 

Author Comment

by:jackjohnson44
ID: 40460729
The page I am posting to?  I don't have access to that server.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40460732
Or you use the proxy method.
0
 

Author Comment

by:jackjohnson44
ID: 40461002
Thanks but that isn't really helpful at all.  I can't change the webservice like I mentioned and the term "proxy method" is not a solution.  Does anyone else have any advice?
0
 
LVL 58

Expert Comment

by:Gary
ID: 40461011
The only option is JSONP but you already said it won't work with JSONP
0
 
LVL 58

Expert Comment

by:Gary
ID: 40461030
Misread one of your earlier comment, you need to add the headers to your server to say it's ok to request the other domain.
0
 

Author Comment

by:jackjohnson44
ID: 40461409
I tried adding this header which does actually add and I can verify in fiddler.  I get the same error below.  It looks like that header needs to be on the webservice not my code.

XMLHttpRequest cannot load https://xxxx.com/apps/100/LogIn. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.
test:


headers in code
  after_filter :set_access_control_headers

  def set_access_control_headers
    headers['Access-Control-Allow-Origin'] = 'http://localhost:3000/'
    headers['Access-Control-Request-Method'] = '*'
  end
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 58

Expert Comment

by:Gary
ID: 40462193
Then you need to contact the webservice author - there is no other way around it.
0
 

Author Comment

by:jackjohnson44
ID: 40462249
Anyone else?
0
 
LVL 58

Expert Comment

by:Gary
ID: 40462307
You've been given the only 3 possible solutions, there is no other solution.
0
 

Author Comment

by:jackjohnson44
ID: 40462346
Thanks, but you are really not helping at all, and I'd appreciate it if you could not answer any more.  You suggested adding a header to the page that I was on which did not work.  You obviously did not try this or know it to be true and it was a waste of time.  You also suggested something that I stated in my question was not possible.  This is a forum for answers, not for people to have conversations with.  You have no business answering this question.  You also give very vague answers and provide no code.  Now this question has too many responses so no one will read through.  Please resist the urge to comment on this statement.  I am looking for a solution for my issue, I am not looking to have a conversation with someone who doesn't read questions.
0
 
LVL 42

Accepted Solution

by:
Rob Jurd, EE MVE earned 250 total points
ID: 40463391
jackjohnson44,

You're not going to want to hear it but what you're wanting to do is not possible when you only have control of the client.  There are workarounds in getting to the information but they require a "middle-man" approach where your request for the webmethod has to go through a "relay" or proxy as indicated by Gary.

I've built a system recently that did just this.  My webpage called the webmethod from my server.  My server then made a request (using PHP and cURL) to call the actual webmethod from the remote server.  My server parses the results and sends the data back to the webpage.  If you're interested in this method, I can provide more information.

The issue here is security.  The client is tied down and sandboxed so that there is no risk of private information being accessed when it shouldn't be.  The server side is a different kettle of fish altogether and isn't restricted in the same way.
0
 
LVL 42

Expert Comment

by:Rob Jurd, EE MVE
ID: 40463409
JSONP should work but I suspect there needs to be a valid session to use the webmethod or can anyone call it without logging in etc?
0
 
LVL 74

Assisted Solution

by:käµfm³d 👽
käµfm³d   👽 earned 250 total points
ID: 40463625
I agree with Rob (and Gary):  You cannot call a web service (or even a web page) on a different domain without either using CORS or JSONP--you can thank the XSS exploiters for that gem. The only remaining option is to make an AJAX call to your own server, have the server call the web service, and then return the result back via the AJAX call's response. In other words:  What Rob and Gary both mentioned (Gary called it a "proxy").
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Introduction JSON is an acronym for JavaScript Object Notation.  It is a text-string data transport mechanism, capable of representing simple or complex data structures in a consistent and easy-to-read manner.  Similar in concept to XML, but more e…
This article demonstrates how to create a simple responsive confirmation dialog with Ok and Cancel buttons using HTML, CSS, jQuery and Promises
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now