36

As you know, the security of the web browser disallows making of cross domain requests. I read a book which says that you should use XMLHTTPRequest only if you can put the files on the server (means put the page you will load to the same requested domain). If you can't - you should search for an alternative.

My questions are:

  1. What is the cross domain alternative to XMLHTTPRequest?
  2. What about WebSockets? Does this technology allow cross domain request?

EDIT: It still isn't clear to me...

For example, I pull my page from www.domain1.com and I need to request javascript from www.domain2.com. So the pulled page should include something like:

<script src="www.domain2.com/script.js"></script>

to avoid cross domain restrictions.

And I can use JSONP, and request will look like: http://ww.domain1.com/?callback=someFunction.js

But: isn't it the same? I just pull js from another domain! Does it avoid cross domain restrictions?

1

3 Answers 3

Reset to default
22

You can make cross domain requests using the XMLHttpRequest object. This is done using something called "Cross Origin Resource Sharing". See: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

Very simply put, when the request is made to the server the server can respond with a Access-Control-Allow-Origin header which will either allow or deny the request. The browser needs to check this header and if it is allowed then it will continue with the request process. If not the browser will cancel the request.

You can find some more information and a working example here: http://www.leggetter.co.uk/2010/03/12/making-cross-domain-javascript-requests-using-xmlhttprequest-or-xdomainrequest.html

JSONP is an alternative solution, but you could argue it's a bit of a hack.

3
  • I would argue that this is also a bit of a hack. Not keeping me from using it, though! :D
    – Charles Wood
    Commented Nov 17, 2015 at 20:02
  • @CharlesWood don't be naive...a secured server will check the value of this header then decide whether the request should be allowed or not ;)
    – Leo
    Commented Oct 5, 2018 at 6:42
  • @Leo Yeah I don't know what I was thinking :D
    – Charles Wood
    Commented Oct 10, 2018 at 21:31
5

Do a cross-domain AJAX call

Your web-service must support method injection in order to do JSONP.

Your code seems fine and it should work if your web services and your web application hosted in the same domain.

When you do a $.ajax with dataType: 'jsonp' meaning that jQuery is actually adding a new parameter to the query URL.

For instance, if your URL is http://10.211.2.219:8080/SampleWebService/sample.do then jQuery will add ?callback={some_random_dynamically_generated_method}.

This method is more kind of a proxy actually attached in window object. This is nothing specific but does look something like this:

window.some_random_dynamically_generated_method = function(actualJsonpData) {
    //here actually has reference to the success function mentioned with $.ajax
    //so it just calls the success method like this: 
    successCallback(actualJsonData);
}

Check the following for more information

Make cross-domain ajax JSONP request with jQuery

1
  • yeah, thanks. But can you provide answer to the question id EDIT area, please
    – VB_
    Commented Jul 26, 2013 at 7:11
4

If you're willing to transmit some data and that you don't need to be secured (any public infos) you can use a CORS proxy, it's very easy, you'll not have to change anything in your code or in server side (especially of it's not your server like the Yahoo API or OpenWeather). I've used it to fetch JSON files with an XMLHttpRequest and it worked fine.

Not the answer you're looking for? Browse other questions tagged or ask your own question.