Solved

cross domain scripting, is there a way around it?

Posted on 2014-11-23
14
166 Views
Last Modified: 2014-11-25
I have a webpage that uses an api webservice to get info.  The calls are to a different domain than my page so I get errors like below.  I have no control over the webservice so I can't alter it at all.  I found some links that mention using jsonp, which I tried but the webservice does not respond to.  I know I can do things to the browser, but I want it to work for anyone.  Is there a creative way around this like by doing it on another page and lazy loading it?  I am really not sure, but there must be a way.   I can see in fiddler that the call returns the xml correctly, but the js still errors.

Error:
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.


			return $.ajax({
                url: loginUrl,
                contentType: "application/x-www-form-urlencoded",
                //dataType: "xml",  //IT WILL WORK WITH OMMITTED BUT WORKS WITH TOO
				//dataType:       'jsonp',  //IT WON'T WORK WITH JSONP
                data: postData,
                async: true,
                type: "POST",  //NEED POST FOR THE WEBSERVICE TO RETURN A VALID RESPONSE IN FIDDLER
				//contentType:    'application/json', //DOES NOT WORK WITH
    });

Open in new window

0
Comment
Question by:jackjohnson44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40460699
You need to add headers allowing the cross domain request in your page.
How you do this depends on your server.

Or you can use a proxy - you call a page on your server that makes the crosss domain call and passes the response back to your page.
0
 

Author Comment

by:jackjohnson44
ID: 40460729
The page I am posting to?  I don't have access to that server.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40460732
Or you use the proxy method.
0
More Than Just A Video Library

Train for your certification. Learn the latest DevOps tools. Grow your skillset to do better work.

At Linux Academy, we release new training modules every week so you'll always be up to date on the latest tech.

 

Author Comment

by:jackjohnson44
ID: 40461002
Thanks but that isn't really helpful at all.  I can't change the webservice like I mentioned and the term "proxy method" is not a solution.  Does anyone else have any advice?
0
 
LVL 58

Expert Comment

by:Gary
ID: 40461011
The only option is JSONP but you already said it won't work with JSONP
0
 
LVL 58

Expert Comment

by:Gary
ID: 40461030
Misread one of your earlier comment, you need to add the headers to your server to say it's ok to request the other domain.
0
 

Author Comment

by:jackjohnson44
ID: 40461409
I tried adding this header which does actually add and I can verify in fiddler.  I get the same error below.  It looks like that header needs to be on the webservice not my code.

XMLHttpRequest cannot load https://xxxx.com/apps/100/LogIn. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.
test:


headers in code
  after_filter :set_access_control_headers

  def set_access_control_headers
    headers['Access-Control-Allow-Origin'] = 'http://localhost:3000/'
    headers['Access-Control-Request-Method'] = '*'
  end
0
 
LVL 58

Expert Comment

by:Gary
ID: 40462193
Then you need to contact the webservice author - there is no other way around it.
0
 

Author Comment

by:jackjohnson44
ID: 40462249
Anyone else?
0
 
LVL 58

Expert Comment

by:Gary
ID: 40462307
You've been given the only 3 possible solutions, there is no other solution.
0
 

Author Comment

by:jackjohnson44
ID: 40462346
Thanks, but you are really not helping at all, and I'd appreciate it if you could not answer any more.  You suggested adding a header to the page that I was on which did not work.  You obviously did not try this or know it to be true and it was a waste of time.  You also suggested something that I stated in my question was not possible.  This is a forum for answers, not for people to have conversations with.  You have no business answering this question.  You also give very vague answers and provide no code.  Now this question has too many responses so no one will read through.  Please resist the urge to comment on this statement.  I am looking for a solution for my issue, I am not looking to have a conversation with someone who doesn't read questions.
0
 
LVL 43

Accepted Solution

by:
Rob earned 250 total points
ID: 40463391
jackjohnson44,

You're not going to want to hear it but what you're wanting to do is not possible when you only have control of the client.  There are workarounds in getting to the information but they require a "middle-man" approach where your request for the webmethod has to go through a "relay" or proxy as indicated by Gary.

I've built a system recently that did just this.  My webpage called the webmethod from my server.  My server then made a request (using PHP and cURL) to call the actual webmethod from the remote server.  My server parses the results and sends the data back to the webpage.  If you're interested in this method, I can provide more information.

The issue here is security.  The client is tied down and sandboxed so that there is no risk of private information being accessed when it shouldn't be.  The server side is a different kettle of fish altogether and isn't restricted in the same way.
0
 
LVL 43

Expert Comment

by:Rob
ID: 40463409
JSONP should work but I suspect there needs to be a valid session to use the webmethod or can anyone call it without logging in etc?
0
 
LVL 75

Assisted Solution

by:käµfm³d 👽
käµfm³d   👽 earned 250 total points
ID: 40463625
I agree with Rob (and Gary):  You cannot call a web service (or even a web page) on a different domain without either using CORS or JSONP--you can thank the XSS exploiters for that gem. The only remaining option is to make an AJAX call to your own server, have the server call the web service, and then return the result back via the AJAX call's response. In other words:  What Rob and Gary both mentioned (Gary called it a "proxy").
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This article discusses how to implement server side field validation and display customized error messages to the client.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question