I am trying to get JSON (getJSON()) from server that doesn't have support for jsonp implemented. Namely, when adding callback=? to the URL, the server does return the data, but it returns pure JSON without padding.
I understand this is something that must be corrected server-side - there is no way to resolve it in jQuery. Is this correct?
If CORS support is not supported by server as well jsonp, you might try proxy approach in such cases. One example http://www.corsproxy.com/, there should be other proxy alternatives too.
What does it do?
CORS Proxy allows javascript code on your site to access resources on other domains that would normally be blocked due to the same-origin policy.
How does it work?
CORS Proxy takes advantage of Cross-Origin Resource Sharing, which is a feature that was added along with HTML 5. Servers can specify that they want browsers to allow other websites to request resources they host. CORS Proxy is simply an HTTP Proxy that adds a header to responses saying "anyone can request this".
Related
The server sending JSON to the API is a Tomcat server in the Gradle packages (it is built in Java).
I am having trouble's making an API call with Angular. I know my API is working because I can view it on "Postman."
var app = angular.module("todo", []);
app.controller("AppCtrl", function($http){
$http.get("192.168.5.100:8080/aggregators/datafile")
.success(function(data){
console.log(data)
})
})
When I run it I get the following error:
XMLHttpRequest cannot load %3192.168.5.100:8080/aggregators/datafile. Cross origin requests are only supported for HTTP.
The problem you're running into is that you can't make cross origin requests from the browser without CORS or using JSONP.
Postman operates outside of the context of the browser (as if you had issued a cURL request, if you're familiar with cURL).
This is for security reasons.
So, how do you implement JSONP? It really depends on the server, but in general, your resource would look for a GET request that had a pre-determined querystring parameter (normally callback for simplicity):
http://192.168.5.100:8080/aggregators/datafile?callback=mycallback
How do you make a JSONP call?
The server wraps the JSON in that callback, causing it to look something like the following:
mycallback({json:object});
This Stack Overflow answer goes into more detail.
The callback is the function the browser should hit when the request is executed, and that's what allows for cross-domain requests.
Now, on to CORS.
CORS is a system for allowing the browser to communicate with the server to determine whether or not it should accept a cross domain request. It's a bit complicated, but in general it involves settings up certain Headers on your API Server; and then executing an Ajax request in a particular fashion (for JQuery, use the withCredentials property for $.ajax). The server checks where the request is from, and if it's a valid source, it let's the browser know and the browser allows the request (I'm being simplistic).
MDN has a thorough explanation of CORS that is worth reading.
I am trying to make a JQuery $.post to a Java Servlet. I integrated the Tomcat server into
Apache and if the Tomcat server is on the same machine as the Apache the $.post succeded.
(The Java Servlet receives it).
If the Tomcat servlet is on a remote machine and if I make $.post(http://ip:8080/App/MyServlet,...) the servlet doesn't receive anything.
If I make a JQuery $.post on my machine I have like this $.post(Myservlet,.....).
If I try like this : $.post(http://localhost:8080/App/MyServlet,...) it doesn't work.
How should I make a JQuery $.post to a remote uri?
How should the remote uri for a Tomcat Servlet look like?
Thanks,
Jquery runs in the browser (client-side), which means it's subject to the browser's same-origin policy, which is a good thing.
This means ajax requests that are GET or POST can only be made to the domain of the page making the ajax request.
There are 2 ways to bypass the policy. The first is to have the remote server vouch for the request, the second is to sneak around the browser's same-origin policy.
So if you have control over the remote server, or if the admin who does takes requests to open the server/domain to foriegn ajax requests, then the server just needs to send the following header:
Access-Control-Allow-Origin: your-local-domain.org
The browser gets back the response header, sees that the requesting page is in the above list, and allows the response through.
If you have no control over the remote server, here are the sneakier ways to get around same-origin policy:
Make an ajax request to a local url with the parameters, and have it pass it along to the servlet, and the have that proxy script return whatever the servlet responds with.
JSONP (which I'm still fuzzy on, honestly, but jquery's ajax documentation goes into it)
Script injection, where you leverage the fact that the script element's src is not limited by the same-origin policy.
Of the 3, I think the first is the safest, least hackish, and most honest (so to speak), but JSONP has become the simple and easy way to pull of a cross-domain request in jquery.
When i send post request through jquery(Cross domain) it is not authenticated and in response null is coming while i am sending same request through using burp suite or http live header then it is working and able to authenticate please suggest me solution for the problem
JavaScript has a same origin policy. You can not make requests to other domains with the XMLHttpRequest object.
Most modern day browsers support CORS or you can use JSONP if you can make a GET request. If you can not use CORS or JSONP, you need to use a proxy on your server to send/retrieve the content.
I have a jquery plugin and I'm using jsonp for crossdomain call to a jsp file.
I want to strict the jsp return values only to specific websites in our database.
To achieve this I need to somehow get the ip or url of the website the jsonp call triggered and not the client/user ip. I've tried the referer value in the http header but this will not work with IE and I guess this is not the best solution either.
How can I securely now who is calling my jsp file with my plugin, from his website?
Thanks in advance.
The simplest answer would be to issue each website a unique key or other identifier that they include in their request. You parse this identifier and flex your response appropriately.
However with a request originating from the client browser, you would have to be careful and would have to evaluate what you mean by how "securely" you need the request to be handled. (since the untrusted client would be making the request it would be a simple task to harvest and reuse such an identifier)...
Referrer (if present) could be used as a double check, but as you pointed out, this is unreliable and coming from an untrusted client computer, this portion of the request could be faked as well.
If we could assume some server side processing by the website owners, you could have them implement a proxy for the jsonp call (which would ensure such a token would never fall into the hands of the browser)... but we'd have to know if such a safeguard would really be worth it or not :)
Im trying to improve the Java Html Document a little but i'm running into problems with the HttpUrlConntion. One thing is that some servers block a request if the user agent is a Java VM. Another problem is that the HttpUrlConnection does not set the Referrer or Location header field. Since several sites use these fields to verify that the content was accessed from their own site, I'm blocked here as well. As far as I can see the only resolution is to replace the URL handler of the HTTP protocol. Or is there any way to modify the default HTTP Handler?
Open the URL with URL.openConnection. Optionally cast to HttpURLConnection. Call URLConnection.setRequestProperty/addRequestProperty.
The default User-Agent header value is set from the "http.agent" system property. The PlugIn and WebStart allow you to set this property.
If you use Apache HttpClient to manage your programmatic HTTP connectivity you get an extremely useful API which makes creating connections (and optional automatic re-connecting on fail), setting Headers, posts vs gets, handy methods for retrieving the returned content and much much more.
I solved my problem. We can just send the header to application/json and pass the body as a json object. That simply solves the issue.