Allow Cross Domain Ajax Requests

allow cross domain ajax requests

As mentioned above, anyone can send a request to you page at any time: so the major security concerns you need are to validate user input and only reveal information that is available for public consumption. But that applies to all scripts.

The two main issues you need to concentrate on (after validating user input) are:

1. The problem you may have is users receiving the information into their scripts. Depending on the browser (and even between flavours of the same browser) there are different security rules that prevent them from getting the information back. A common solution to this is to provide information back as "JSONP" which is to wrap your return value as a function call that can be executed by the client. Here's a quick example (taken from http://www.geekality.net/2010/06/27/php-how-to-easily-provide-json-and-jsonp/). To further lock it down, you can insist that all queries are JSONP and reject anyone not sending the callback function.

.

<?php

header('content-type: application/json; charset=utf-8');
$data = array(1, 2, 3, 4, 5, 6, 7, 8, 9);
echo $_GET['callback'] . '('.json_encode($data).')';

?>

2. Someone abusing your service by calling too regularly. Solutions for this are to trap the IP address and reject if you get too many calls from an IP address. Not foolproof, but it's a start.

Other factors to bear in mind:

• cookies and other headers set by your script will probably be ignored
• same applies to sessions

Allow headers in cross-domain ajax request

It seems that each header must explicitly be listed and I added x-test-header to Access-Control-Allow-Headers.

Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header set Access-Control-Allow-Headers "x-test-header, Origin, X-Requested-With, Content-Type, Accept"

How to send a cross domain ajax request

put it on top of config.php

 header('Access-Control-Allow-Origin: *');  

Making Cross Domain Ajax Requests

The only true answer is 1. Simply because CORS preflight request fails on 3 and 4, so the actual request never even takes place.

jQuery ajax request being block because Cross-Origin

Try to use JSONP in your Ajax call. It will bypass the Same Origin Policy.

http://learn.jquery.com/ajax/working-with-jsonp/

Try example

$.ajax({
    url: "https://api.dailymotion.com/video/x28j5hv?fields=title",

    dataType: "jsonp",
    success: function( response ) {
        console.log( response ); // server response
    }

});

Disable cross-domain ajax request

Sounds like you want a content security policy (CSP) to restrict what resources and Ajax destinations the page can and can't use.

The same-origin policy is designed to prevent websites from reading credentialed responses from a third party (e.g., I load evil.com, and that site instructs my browser to fetch my online bank statements, using my bank.com cookies). The SOP is not intended to prevent users or sites from sending data wherever they like.

The site's CSP is intended to whitelist access to resources, in the event that either:

1. the site is compromised by an XSS attack and suddenly behaves in ways you didn't anticipate, or
2. the site runs content supplied by user A on a browser owned by user B, and that content needs to be sandboxed.

To be clear, the danger in case #2 is not that a user can run his own JavaScript, but that a user might run some other user's script.

An example CSP might be:

Content-Security-Policy: default-src 'self'; frame-src 'none'; object-src 'none';

This will block any attempt to load iframes or plugins, and it restricts all other resource loads (including images, scripts, stylesheets, and Ajax requests) to the current origin. If you want to allow plugins or iframes, you can remove either or those directives and they will fall back to the default-src directive. You can use the connect-src directive to limit Ajax specifically.

Note also that if you lets users run arbitrary scripts, you will likely still have serious problems (e.g., rewriting the page with misleading content), even with a very restrictive CSP taking care of cross-origin network requests.

jQuery AJAX cross domain

Use JSONP.

jQuery:

$.ajax({
     url:"testserver.php",
     dataType: 'jsonp', // Notice! JSONP <-- P (lowercase)
     success:function(json){
         // do stuff with json (in this case an array)
         alert("Success");
     },
     error:function(){
         alert("Error");
     }      
});

PHP:

<?php
$arr = array("element1","element2",array("element31","element32"));
$arr['name'] = "response";
echo $_GET['callback']."(".json_encode($arr).");";
?>

The echo might be wrong, it's been a while since I've used php. In any case you need to output callbackName('jsonString') notice the quotes. jQuery will pass its own callback name, so you need to get that from the GET params.

And as Stefan Kendall posted, $.getJSON() is a shorthand method, but then you need to append 'callback=?' to the url as GET parameter (yes, value is ?, jQuery replaces this with its own generated callback method).

how to solve cross domain in ajax

You need to use JSONP to make CROSS DOMAIN Requests.

Please read:

Loading cross domain endpoint with jQuery AJAX

Make cross-domain ajax JSONP request with jQuery

---

Related Topics