What triggers cross-domain violation when AJAX request?
Due to this:
A resource is cross-origin when it's located at a different
(sub)domain, protocol, or port!
You should also use exact match host
so http://www.example.com/bar
doesn't work out.
Take a look at this to see more examples.
You should not get CORS in the A
option.
And also this article fully describing CORS.
How to send a cross domain ajax request
put it on top of config.php
header('Access-Control-Allow-Origin: *');
jQuery AJAX cross domain
Use JSONP.
jQuery:
$.ajax({
url:"testserver.php",
dataType: 'jsonp', // Notice! JSONP <-- P (lowercase)
success:function(json){
// do stuff with json (in this case an array)
alert("Success");
},
error:function(){
alert("Error");
}
});
PHP:
<?php
$arr = array("element1","element2",array("element31","element32"));
$arr['name'] = "response";
echo $_GET['callback']."(".json_encode($arr).");";
?>
The echo might be wrong, it's been a while since I've used php. In any case you need to output callbackName('jsonString')
notice the quotes. jQuery will pass it's own callback name, so you need to get that from the GET params.
And as Stefan Kendall posted, $.getJSON() is a shorthand method, but then you need to append 'callback=?'
to the url as GET parameter (yes, value is ?, jQuery replaces this with its own generated callback method).
allow cross domain ajax requests
As mentioned above, anyone can send a request to you page at any time: so the major security concerns you need are to validate user input and only reveal information that is available for public consumption. But that applies to all scripts.
The two main issues you need to concentrate on (after validating user input) are:
- The problem you may have is users receiving the information into their scripts. Depending on the browser (and even between flavours of the same browser) there are different security rules that prevent them from getting the information back. A common solution to this is to provide information back as "JSONP" which is to wrap your return value as a function call that can be executed by the client. Here's a quick example (taken from http://www.geekality.net/2010/06/27/php-how-to-easily-provide-json-and-jsonp/). To further lock it down, you can insist that all queries are JSONP and reject anyone not sending the callback function.
.
<?php
header('content-type: application/json; charset=utf-8');
$data = array(1, 2, 3, 4, 5, 6, 7, 8, 9);
echo $_GET['callback'] . '('.json_encode($data).')';
?>
- Someone abusing your service by calling too regularly. Solutions for this are to trap the IP address and reject if you get too many calls from an IP address. Not foolproof, but it's a start.
Other factors to bear in mind:
- cookies and other headers set by your script will probably be ignored
- same applies to sessions
how to solve cross domain in ajax
You need to use JSONP
to make CROSS DOMAIN Requests
.
Please read:
Loading cross domain endpoint with jQuery AJAX
Make cross-domain ajax JSONP request with jQuery
Allow headers in cross-domain ajax request
It seems that each header must explicitly be listed and I added x-test-header
to Access-Control-Allow-Headers
.
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header set Access-Control-Allow-Headers "x-test-header, Origin, X-Requested-With, Content-Type, Accept"
Related Topics
How to Change the Default Index Page in Apache
Flex Item Should Align Left, Not Center, When It Wraps
How to Make a Transparent Canvas in HTML5
Why Should I Not Use HTML Frames
Export HTML Table to Excel Using ASP.NET
How to Align Flexbox Columns Left and Right
Best Way to Manage Whitespace Between Inline List Items
Html5 Video Not Working on iPad
Hover Effects Not Working with IE8
Hide HTML Horizontal But Not Vertical Scrollbar
HTML + CSS: Ordered List Without the Period
Left-Right Movement.. CSS Only Very Generic
Mailto Link Multiple Body Lines
How to Get a Web Page Header/Footer Printed on Every Page
How to Get a List of All Countries/Cities to Populate a Listbox
Default Text Which Won't Be Shown in Drop-Down List
What Happens If the Meta Tags Are Present in the Document Body