ansaurus

Question

Accessing web Service from jQuery - cross domain

Answer 1

+5 A:

You are running up against the Same-Origin Policy. The web service that you are accessing must reside on the same domain as the jQuery script that is making the request. This policy is enforced by all browsers to prevent - for example - cross-site scripting and code injection attacks on web applications.

There are various ways around it, including JSONP, Proxies or Flash.

We'll need a little more information before we can suggest which technique you should use. I tend to favor JSONP. But in the meantime, here's some light reading:

http://taossa.com/index.php/2007/02/08/same-origin-policy/

https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript

Here's an example use of JSONP:

url = "http://www.test.com/getData.php?callback=parseResults";

document.body.appendChild((function() {
    var newScript = document.createElement("script");
    newScript.type = "text/javascript";
    newScript.src = url;
    return newScript;
})());

function parseResults(data) {
    alert(data);
}

GlenCrawford 2010-04-23 09:48:45

So is the idea that you make ajax calls to a service on the same domain and that forwards requests to the intended service? But does so from server side code which does not have the sort of restrictions imposed by a browser?

Christo Fur 2010-04-23 10:04:51

If you're talking about using a Proxy, then yes, that's exactly right. The SOP is enforced by the browser, therefore PHP, ASP, ColdFusion and so on are not bound by it. Your JS makes the request to the proxy, the proxy makes the request to the service, and then the proxy passes the result back to the JS.

GlenCrawford 2010-04-23 10:07:25

I should probably point out that using a proxy may increase traffic and waiting times slightly, because you're now making two requests instead of one. JS --> Proxy --> Service

GlenCrawford 2010-04-23 10:13:45

sure, understood. Well the info is ultimitely to be consumed by a Flash movie. So I thought having the containing page make requests from Javascript might be the best way. But it might be easier of the requests come from within Flash and I just apply a Cross Domain policy

Christo Fur 2010-04-23 10:18:58

Answer 2

+1 A:

You might want to check out JSONP (JSON with Padding). In short, it involves adding a script element to the page with the web service url as the src. The web service then wraps the JSON as the first argument in a callback function, which is executed when the script is parsed.

Script elements are exempt from the Same Origin Policy, which is how they are able to get around this issue..

Andy E 2010-04-23 09:48:53

would adding a CrossDomain.XML be of any use? Or is it not that simple?

Christo Fur 2010-04-23 09:54:13

@Christo Fur: adding a crossdomain.xml file to the domain that the web service resides on will enable Flash applications to make cross-site requests to the API, if the XML file allows the domain that the Flash application resides on (more info: http://jimbojw.com/wiki/index.php?title=Cross-domain_Ajax_via_Flash)

GlenCrawford 2010-04-23 09:56:40

@Christo Fur: +What RoseOfJericho said. You could look into the `Access-Control` headers, but they're not widely supported by browsers (might only be Fx) and IE8 requires you to use `XDomainRequest()` instead of `XMLHttpRequest()`. JSONP is really your best option for x-browser compatibility.

Andy E 2010-04-23 10:06:21

@Christo Fur: I've heard that Chrome partially supports Access-Control-Allow-Origin and related headers, but yes, by relying on the Cross-Origin Resource Sharing specification (still in working-draft phase at W3C), you're really only making your website usable by Firefox users...for now.

GlenCrawford 2010-04-23 10:10:54

Is it possible to post data using JSONP? or does everything have to be passed in the query string?

Christo Fur 2010-04-23 11:24:45

Answer 3

A:

Typically, you won't be able to; modern browsers restrict this to prevent cross-site scripting attacks. One way around it may be to use "padded" JSON, JSONP, which inserts the results in a script element on your page. There's a Microsoft WCF sample here which seems to do that.

Matt Gibson 2010-04-23 09:50:24

Answer 4

A:

Due to the AJAX same origin policy, you can't do it cross domain.

Kind Regards

--Andy

jAndy 2010-04-23 09:51:55

Answer 5

A:

I faced the same problem during 2 days and I found the solution, and it's elegant after googling a lot. I needed xss Ajax for some widget clients which pull datastream from tiers websites to my Rails app. here's how I did.

R Francky 2010-08-27 14:47:49

ansaurus

tags:

views:

answers:

Accessing web Service from jQuery - cross domain

related questions