Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

cross domain scripting, is there a way around it?

Posted on 2014-11-23
14
163 Views
Last Modified: 2014-11-25
I have a webpage that uses an api webservice to get info.  The calls are to a different domain than my page so I get errors like below.  I have no control over the webservice so I can't alter it at all.  I found some links that mention using jsonp, which I tried but the webservice does not respond to.  I know I can do things to the browser, but I want it to work for anyone.  Is there a creative way around this like by doing it on another page and lazy loading it?  I am really not sure, but there must be a way.   I can see in fiddler that the call returns the xml correctly, but the js still errors.

Error:
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.


			return $.ajax({
                url: loginUrl,
                contentType: "application/x-www-form-urlencoded",
                //dataType: "xml",  //IT WILL WORK WITH OMMITTED BUT WORKS WITH TOO
				//dataType:       'jsonp',  //IT WON'T WORK WITH JSONP
                data: postData,
                async: true,
                type: "POST",  //NEED POST FOR THE WEBSERVICE TO RETURN A VALID RESPONSE IN FIDDLER
				//contentType:    'application/json', //DOES NOT WORK WITH
    });

Open in new window

0
Comment
Question by:jackjohnson44
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40460699
You need to add headers allowing the cross domain request in your page.
How you do this depends on your server.

Or you can use a proxy - you call a page on your server that makes the crosss domain call and passes the response back to your page.
0
 

Author Comment

by:jackjohnson44
ID: 40460729
The page I am posting to?  I don't have access to that server.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40460732
Or you use the proxy method.
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 

Author Comment

by:jackjohnson44
ID: 40461002
Thanks but that isn't really helpful at all.  I can't change the webservice like I mentioned and the term "proxy method" is not a solution.  Does anyone else have any advice?
0
 
LVL 58

Expert Comment

by:Gary
ID: 40461011
The only option is JSONP but you already said it won't work with JSONP
0
 
LVL 58

Expert Comment

by:Gary
ID: 40461030
Misread one of your earlier comment, you need to add the headers to your server to say it's ok to request the other domain.
0
 

Author Comment

by:jackjohnson44
ID: 40461409
I tried adding this header which does actually add and I can verify in fiddler.  I get the same error below.  It looks like that header needs to be on the webservice not my code.

XMLHttpRequest cannot load https://xxxx.com/apps/100/LogIn. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.
test:


headers in code
  after_filter :set_access_control_headers

  def set_access_control_headers
    headers['Access-Control-Allow-Origin'] = 'http://localhost:3000/'
    headers['Access-Control-Request-Method'] = '*'
  end
0
 
LVL 58

Expert Comment

by:Gary
ID: 40462193
Then you need to contact the webservice author - there is no other way around it.
0
 

Author Comment

by:jackjohnson44
ID: 40462249
Anyone else?
0
 
LVL 58

Expert Comment

by:Gary
ID: 40462307
You've been given the only 3 possible solutions, there is no other solution.
0
 

Author Comment

by:jackjohnson44
ID: 40462346
Thanks, but you are really not helping at all, and I'd appreciate it if you could not answer any more.  You suggested adding a header to the page that I was on which did not work.  You obviously did not try this or know it to be true and it was a waste of time.  You also suggested something that I stated in my question was not possible.  This is a forum for answers, not for people to have conversations with.  You have no business answering this question.  You also give very vague answers and provide no code.  Now this question has too many responses so no one will read through.  Please resist the urge to comment on this statement.  I am looking for a solution for my issue, I am not looking to have a conversation with someone who doesn't read questions.
0
 
LVL 43

Accepted Solution

by:
Rob earned 250 total points
ID: 40463391
jackjohnson44,

You're not going to want to hear it but what you're wanting to do is not possible when you only have control of the client.  There are workarounds in getting to the information but they require a "middle-man" approach where your request for the webmethod has to go through a "relay" or proxy as indicated by Gary.

I've built a system recently that did just this.  My webpage called the webmethod from my server.  My server then made a request (using PHP and cURL) to call the actual webmethod from the remote server.  My server parses the results and sends the data back to the webpage.  If you're interested in this method, I can provide more information.

The issue here is security.  The client is tied down and sandboxed so that there is no risk of private information being accessed when it shouldn't be.  The server side is a different kettle of fish altogether and isn't restricted in the same way.
0
 
LVL 43

Expert Comment

by:Rob
ID: 40463409
JSONP should work but I suspect there needs to be a valid session to use the webmethod or can anyone call it without logging in etc?
0
 
LVL 75

Assisted Solution

by:käµfm³d 👽
käµfm³d   👽 earned 250 total points
ID: 40463625
I agree with Rob (and Gary):  You cannot call a web service (or even a web page) on a different domain without either using CORS or JSONP--you can thank the XSS exploiters for that gem. The only remaining option is to make an AJAX call to your own server, have the server call the web service, and then return the result back via the AJAX call's response. In other words:  What Rob and Gary both mentioned (Gary called it a "proxy").
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article you'll learn how to use Ajax calls within your CodeIgniter application. To explain this, I'll illustrate how to implement a simple contact form to allow visitors to send you an email through your web site.
How to build a simple, quick and effective accordion menu using just 15 lines of jQuery and 2 css classes
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question