0

For what I understand cross-domain AJAX calls are not possible for security reasons.

I've understood that's it's possible to do it by using JSON-P though.

My question: why are cross-domain AJAX calls forbidden, but actually possible in a less practical way? It would be simpler to just authorize it.

How are you supposed to do for those kind of simple scenarios:

  • geocoding a location by calling Google Maps webservice
  • fetching Flickr images through its webservice
  • ajax to a different domain but it's the same application (server farms for example?)
  • ... (those are just examples)

If I have to wrap/proxy these calls with a server-side script, that's just boring and time lost... You can't make a full Javascript application in the end? (if you want to use external webservices I mean)

Community
  • 1
  • 1
Matthieu Napoli
  • 48,448
  • 45
  • 173
  • 261

1 Answers1

4

why are cross-domain AJAX calls forbidden

You are logged on to your bank, right? OK, I'll just make a Ajax request to your bank and read your account number, sort code, and so on.

How are you supposed to do for those kind of simple scenarios

  • Server side proxy
  • JSON-P
  • CORS

If I have to wrap/proxy these calls with a server-side script, that's just boring and time lost

Many things would be easier if we didn't have to worry about security. We wouldn't need locks on doors, passwords on accounts, etc, etc.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Very great answer thank you, I didn't think of the sessions. Indeed that's serious ;). However I don't understand why JSON-P is different from a direct AJAX call (regarding security)? The call is still made by the client (browser-side)? – Matthieu Napoli Apr 10 '12 at 09:51
  • JSON-P has to be deliberately exposed by the site hosting the service. – Quentin Apr 10 '12 at 09:52
  • Ah ok so it's deliberately not using the session or anything like that then I guess. Thanks – Matthieu Napoli Apr 10 '12 at 09:54