Solved

cross domain scripting, is there a way around it?

Posted on 2014-11-23
14
164 Views
Last Modified: 2014-11-25
I have a webpage that uses an api webservice to get info.  The calls are to a different domain than my page so I get errors like below.  I have no control over the webservice so I can't alter it at all.  I found some links that mention using jsonp, which I tried but the webservice does not respond to.  I know I can do things to the browser, but I want it to work for anyone.  Is there a creative way around this like by doing it on another page and lazy loading it?  I am really not sure, but there must be a way.   I can see in fiddler that the call returns the xml correctly, but the js still errors.

Error:
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.


			return $.ajax({
                url: loginUrl,
                contentType: "application/x-www-form-urlencoded",
                //dataType: "xml",  //IT WILL WORK WITH OMMITTED BUT WORKS WITH TOO
				//dataType:       'jsonp',  //IT WON'T WORK WITH JSONP
                data: postData,
                async: true,
                type: "POST",  //NEED POST FOR THE WEBSERVICE TO RETURN A VALID RESPONSE IN FIDDLER
				//contentType:    'application/json', //DOES NOT WORK WITH
    });

Open in new window

0
Comment
Question by:jackjohnson44
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40460699
You need to add headers allowing the cross domain request in your page.
How you do this depends on your server.

Or you can use a proxy - you call a page on your server that makes the crosss domain call and passes the response back to your page.
0
 

Author Comment

by:jackjohnson44
ID: 40460729
The page I am posting to?  I don't have access to that server.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40460732
Or you use the proxy method.
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 

Author Comment

by:jackjohnson44
ID: 40461002
Thanks but that isn't really helpful at all.  I can't change the webservice like I mentioned and the term "proxy method" is not a solution.  Does anyone else have any advice?
0
 
LVL 58

Expert Comment

by:Gary
ID: 40461011
The only option is JSONP but you already said it won't work with JSONP
0
 
LVL 58

Expert Comment

by:Gary
ID: 40461030
Misread one of your earlier comment, you need to add the headers to your server to say it's ok to request the other domain.
0
 

Author Comment

by:jackjohnson44
ID: 40461409
I tried adding this header which does actually add and I can verify in fiddler.  I get the same error below.  It looks like that header needs to be on the webservice not my code.

XMLHttpRequest cannot load https://xxxx.com/apps/100/LogIn. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.
test:


headers in code
  after_filter :set_access_control_headers

  def set_access_control_headers
    headers['Access-Control-Allow-Origin'] = 'http://localhost:3000/'
    headers['Access-Control-Request-Method'] = '*'
  end
0
 
LVL 58

Expert Comment

by:Gary
ID: 40462193
Then you need to contact the webservice author - there is no other way around it.
0
 

Author Comment

by:jackjohnson44
ID: 40462249
Anyone else?
0
 
LVL 58

Expert Comment

by:Gary
ID: 40462307
You've been given the only 3 possible solutions, there is no other solution.
0
 

Author Comment

by:jackjohnson44
ID: 40462346
Thanks, but you are really not helping at all, and I'd appreciate it if you could not answer any more.  You suggested adding a header to the page that I was on which did not work.  You obviously did not try this or know it to be true and it was a waste of time.  You also suggested something that I stated in my question was not possible.  This is a forum for answers, not for people to have conversations with.  You have no business answering this question.  You also give very vague answers and provide no code.  Now this question has too many responses so no one will read through.  Please resist the urge to comment on this statement.  I am looking for a solution for my issue, I am not looking to have a conversation with someone who doesn't read questions.
0
 
LVL 43

Accepted Solution

by:
Rob earned 250 total points
ID: 40463391
jackjohnson44,

You're not going to want to hear it but what you're wanting to do is not possible when you only have control of the client.  There are workarounds in getting to the information but they require a "middle-man" approach where your request for the webmethod has to go through a "relay" or proxy as indicated by Gary.

I've built a system recently that did just this.  My webpage called the webmethod from my server.  My server then made a request (using PHP and cURL) to call the actual webmethod from the remote server.  My server parses the results and sends the data back to the webpage.  If you're interested in this method, I can provide more information.

The issue here is security.  The client is tied down and sandboxed so that there is no risk of private information being accessed when it shouldn't be.  The server side is a different kettle of fish altogether and isn't restricted in the same way.
0
 
LVL 43

Expert Comment

by:Rob
ID: 40463409
JSONP should work but I suspect there needs to be a valid session to use the webmethod or can anyone call it without logging in etc?
0
 
LVL 75

Assisted Solution

by:käµfm³d 👽
käµfm³d   👽 earned 250 total points
ID: 40463625
I agree with Rob (and Gary):  You cannot call a web service (or even a web page) on a different domain without either using CORS or JSONP--you can thank the XSS exploiters for that gem. The only remaining option is to make an AJAX call to your own server, have the server call the web service, and then return the result back via the AJAX call's response. In other words:  What Rob and Gary both mentioned (Gary called it a "proxy").
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Timer on div 5 23
How to single quote a check box id using java script before using document.GetElementById ? 9 28
Read text on Table 7 25
REST call Failing 1 7
This article demonstrates how to create a simple responsive confirmation dialog with Ok and Cancel buttons using HTML, CSS, jQuery and Promises
Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question