cross domain scripting, is there a way around it?

I have a webpage that uses an api webservice to get info.  The calls are to a different domain than my page so I get errors like below.  I have no control over the webservice so I can't alter it at all.  I found some links that mention using jsonp, which I tried but the webservice does not respond to.  I know I can do things to the browser, but I want it to work for anyone.  Is there a creative way around this like by doing it on another page and lazy loading it?  I am really not sure, but there must be a way.   I can see in fiddler that the call returns the xml correctly, but the js still errors.

Error:
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.


			return $.ajax({
                url: loginUrl,
                contentType: "application/x-www-form-urlencoded",
                //dataType: "xml",  //IT WILL WORK WITH OMMITTED BUT WORKS WITH TOO
				//dataType:       'jsonp',  //IT WON'T WORK WITH JSONP
                data: postData,
                async: true,
                type: "POST",  //NEED POST FOR THE WEBSERVICE TO RETURN A VALID RESPONSE IN FIDDLER
				//contentType:    'application/json', //DOES NOT WORK WITH
    });

Open in new window

jackjohnson44Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GaryCommented:
You need to add headers allowing the cross domain request in your page.
How you do this depends on your server.

Or you can use a proxy - you call a page on your server that makes the crosss domain call and passes the response back to your page.
0
jackjohnson44Author Commented:
The page I am posting to?  I don't have access to that server.
0
GaryCommented:
Or you use the proxy method.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

jackjohnson44Author Commented:
Thanks but that isn't really helpful at all.  I can't change the webservice like I mentioned and the term "proxy method" is not a solution.  Does anyone else have any advice?
0
GaryCommented:
The only option is JSONP but you already said it won't work with JSONP
0
GaryCommented:
Misread one of your earlier comment, you need to add the headers to your server to say it's ok to request the other domain.
0
jackjohnson44Author Commented:
I tried adding this header which does actually add and I can verify in fiddler.  I get the same error below.  It looks like that header needs to be on the webservice not my code.

XMLHttpRequest cannot load https://xxxx.com/apps/100/LogIn. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.
test:


headers in code
  after_filter :set_access_control_headers

  def set_access_control_headers
    headers['Access-Control-Allow-Origin'] = 'http://localhost:3000/'
    headers['Access-Control-Request-Method'] = '*'
  end
0
GaryCommented:
Then you need to contact the webservice author - there is no other way around it.
0
jackjohnson44Author Commented:
Anyone else?
0
GaryCommented:
You've been given the only 3 possible solutions, there is no other solution.
0
jackjohnson44Author Commented:
Thanks, but you are really not helping at all, and I'd appreciate it if you could not answer any more.  You suggested adding a header to the page that I was on which did not work.  You obviously did not try this or know it to be true and it was a waste of time.  You also suggested something that I stated in my question was not possible.  This is a forum for answers, not for people to have conversations with.  You have no business answering this question.  You also give very vague answers and provide no code.  Now this question has too many responses so no one will read through.  Please resist the urge to comment on this statement.  I am looking for a solution for my issue, I am not looking to have a conversation with someone who doesn't read questions.
0
RobOwner (Aidellio)Commented:
jackjohnson44,

You're not going to want to hear it but what you're wanting to do is not possible when you only have control of the client.  There are workarounds in getting to the information but they require a "middle-man" approach where your request for the webmethod has to go through a "relay" or proxy as indicated by Gary.

I've built a system recently that did just this.  My webpage called the webmethod from my server.  My server then made a request (using PHP and cURL) to call the actual webmethod from the remote server.  My server parses the results and sends the data back to the webpage.  If you're interested in this method, I can provide more information.

The issue here is security.  The client is tied down and sandboxed so that there is no risk of private information being accessed when it shouldn't be.  The server side is a different kettle of fish altogether and isn't restricted in the same way.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RobOwner (Aidellio)Commented:
JSONP should work but I suspect there needs to be a valid session to use the webmethod or can anyone call it without logging in etc?
0
käµfm³d 👽Commented:
I agree with Rob (and Gary):  You cannot call a web service (or even a web page) on a different domain without either using CORS or JSONP--you can thank the XSS exploiters for that gem. The only remaining option is to make an AJAX call to your own server, have the server call the web service, and then return the result back via the AJAX call's response. In other words:  What Rob and Gary both mentioned (Gary called it a "proxy").
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
jQuery

From novice to tech pro — start learning today.